APPLE'S IOS IS ONCE AGAIN the parent of a bug. This one is called Quicksand, and was left on the Cupertino doorstep by the Appthority Enterprise Mobility Threat Team.
A report on the Appthority pages picks apart the flaw, and points towards the relevant Apple support pages. We have asked Apple for comment on the new arrival and are currently waiting for news from the ward.
Appthority has enough to be getting on with, saying in a blog post that the Quicksand zero-day vulnerability was picked up earlier this year and passed onto Apple. The company said that the problem applies at the sandbox and mobile device management (MDM) levels, and represents a problem. Natch.
"Earlier this year Appthority discovered a previously unknown sandbox violation (zero-day) in Apple's iOS. The violation affects all MDM clients as well as any mobile apps distributed via an MDM that use the Managed App Configuration setting to configure and store private settings and information," the post explained.
"The underlying issue with our critical sandbox violation discovery is that not only can a mobile app (or the MDM vendor app itself) have access to this sensitive set-up and authentication information stored on the device, but anyone (or any other app on the device) can see the credential information on the mobile device as it is stored ‘world readable'."
What this means, to those of you at the back, is that a malicious person could use social engineering, email or a dirty iTunes app to spike and spoil enterprise systems via iOS.
"The impact on the security of a specific enterprise depends highly on the kind of information they are provisioning using managed configurations," Appthority added.
"To gauge the severity of the vulnerability we ran a search across our global app collection of millions of apps residing on enterprise managed devices. We then narrowed down the apps that have a dependency on managed configurations, finding the majority were MDM clients, corporate apps to access work email and business documents, or secure web browser apps used to access enterprise networks."
The firm added that Apple has patched the problem, but has made it available only for the most recent versions of iOS.
"Storing any credentials or authentication tokens on the mobile device filesystem should be avoided," Appthority said.
"Appthority has identified that up to 70 percent of iOS devices are not running the latest version of iOS, even several months after an update is issued. Further, even on devices that are patched, the risk exists that the mobile device is compromised and no amount of sandboxing will protect the data stored on the iOS device."
So. Just update, already. µ
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)