Maxim Goncharov

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 11 **Description** The issue involves the `Exchange ActiveSync` component and allows remote attackers to erase a device by hijacking a cleartext `AutoDiscover V1` session during the setup of an Exchange account. This occurs due to improper permission handling when setting up an account, which can be exploited by a remote attacker to delete data on the device. **Recommendations** For iOS versions prior to 11, consider disabling the `Exchange ActiveSync` component until a fix is available to prevent remote attackers from exploiting this issue. Restrict access to the `AutoDiscover V1` session to minimize the risk of exploitation. Avoid using the `Exchange ActiveSync` component for setting up Exchange accounts until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.3 **Description** The issue involves the `DataAccess` component and allows remote attackers to access Exchange traffic in certain circumstances by leveraging a mistake in typing an e-mail address. This is due to insufficient input validation, which can be exploited by a remote attacker to gain access to traffic exchange by utilizing an error in typing an email address. **Recommendations** For iOS versions prior to 10.3, update to version 10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `DataAccess` component until a patch is available.