Sinking into the iOS Quicksand Vulnerability

Our investigation on the iOS Quicksand vulnerability (designated with CVE-2015-5749) leads us to the conclusion that this security gap, despite its serious risks to confidential data, is difficult to exploit due to its required specific conditions.

For instance, the MDM product must support and use the “push configuration” feature; this feature normally allows a device administrator to send configuration information together with any applications that are pushed to the user device. This is a practice that Apple discourages.

Sinking into to the Quicksand

Based on reports, the Quicksand vulnerability bypasses the iOS sandbox protection and affects mobile device management (MDM) clients. iOS versions before 8.4.1 released last August 2015 are affected by this security issue. Note that the Trend Micro mobile solutions with MDM features are not vulnerable to this security loophole or to any attacks that may leverage this vulnerability in the future.

The iOS sandbox allows the separation or isolation of each application from other applications as well as to the operating system (OS). It functions as a security measure, a kind of ‘safety net’ in order to prevent any malicious app from accessing the contents of the other apps on your device. However, successful exploitation of the vulnerability enables attackers to use an app with malicious code to see other information stored on the other apps’ configuration found inside the device.

Figure 1. The configuration is saved in the client’s directory, “/Library/Managed Preferences/mobile/.”

Figure 2. Attacker can employ this vulnerability to read this configuration’s sensitive information

On the other hand, an attacker could also possibly trick an employee or user into installing an app (which in actual is the malware) in the MDM’s client via App Store or enterprise certificate. In enterprise provisioning, organizations and companies can create their own in-house apps without necessarily going through Apple Store for checking and verification.

Imagine an enterprise setting wherein in-house enterprise apps are deployed by MDM clients. These MDM clients are used are used by IT administrators to be able to control and oversee all employee owned/liable devices that access the corporate network and sensitive information. An attacker may capitalize on this notion of ‘trusted source’ and may lure employees into installing a malicious app coming from their MDM thinking it’s legitimate.

Keeping things in (security) perspective

Although there are serious risks to enterprise data if this vulnerability gets successfully exploited in the wild, the impact is minimal. For one, not all iOS devices have MDM clients turn on. We advise users to update their iOS devices to its latest version. For in-house apps, it’s crucial for employees to have it verified first to their IT administrators if the deployed apps are valid and legitimate. This could prevent any malicious apps from entering the corporate network and consequently, stealing sensitive data.

Trend Micro detects this threat as IOS_PushCfgVul.A.