Apple patched an issue last week in iOS that could have allowed attackers to bypass the third-party app-sandbox protection mechanism on devices and read arbitrary managed preferences via a special app.
The issue, which was present in versions of iOS prior to 8.4.1, stems from a vulnerability with both the sandbox_profiles and CFPreferences components of the operating system. Both are used when it comes to storing and retrieving preference keys and values on Apple devices.
According to two CVEs filed for the vulnerability, Andreas Weinlein, a researcher with the security firm Appthority discovered the issue, nicknamed Quicksand, and reported it to Apple.
The vulnerability affected devices that had mobile device management (MDM) software installed on it. MDM software is primarily used by IT departments to monitor and manage data, email and apps across multiple devices. Appthority warns however that when certain files, managed app configuration files, are pushed to devices via MDM a sandbox violation can occur. Assuming an attacker can wedge a line of code into running processes, they could call upon a library on the phone, /Library/Managed Preferences/mobile/, and access sensitive app configuration, and setting information.
To carry out the attack an attacker would have to get the target to download a specialized app.
“Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker,” a blog entry published Wednesday about the vulnerability reads.
Appthority claims its reached out to several MDM companies to tip them off about the vulnerability, and maintains that once an attacker gleans information such as credentials or details about the company’s managed device infrastructure, it could use those to access the services themselves.
The firm goes on to caution in its blog that following a quick scan of apps “residing on enterprise managed devices” it found that nearly half of them (47 percent) discussed credentials, usernames, passwords and authentications, and that more than half (67 percent) referenced server identification information, statistics that suggest that no amount of sandboxing can prevent poorly kept data from being hacked.
According to the security notes on iOS 8.4.1, which was pushed out last week, Apple claims it addressed the issue by improving the third-party sandbox profile. It was one of several bugs, along with fixes for Content Security Policy, WebKit, and cookie leakage. the Cupertino giant patched,
