On July 24, 2020, Apple released the security content of iOS 13.6 and iPadOS 13.6. The Hillstone Security Research team made a discovery of a vulnerability that is of great significance to the optimization of Apple’s ecosystem. YongYue “BigChan” Wang, a member of the Hillstone security research team, discovered the 0-click remote arbitrary file and write vulnerability in the Email component (CVE-2020-9920). Upon notifying Apple, Hillstone received an official thank you note from Apple. Below are the details of the vulnerability.
CVE-2020-9920: Apple macOS Catalina, Apple iOS, iPadOS could allow a local attacker to overwrite arbitrary files, caused by a path handling issue in the Mail component. An attacker could exploit this vulnerability to allow a malicious mail server to overwrite arbitrary mail files.
Hillstone Security Research Team
As a leading provider of Enterprise Network Security and Risk Management solutions, protecting our customers in a proactive way is our highest goal. Which is why we have dedicated so many security research team members and resources to uncover vulnerabilities in widely used products. We will continue to devote our efforts to safeguard global network security.