Apple commented on the situation with the Masque vulnerability in iOS
This week, FireEye has published information related to the so-called. "Masque" vulnerabilities in iOS. Vulnerability allows you to install a malicious application on top of an existing one, and this new application will get access to all the files of the previous one. This is assuming that the application being installed will have the same “bundle identifier”, which iOS & OS X use to identify applications at the OS level, for example, when delivering updates to them. All versions of iOS since 7.1.1 are affected, including the latest iOS 8.1.1 beta.
In an attack scenario using this vulnerability, the user in the message receives a link to install a malicious application that disguises as legitimate. As in the case of iOS / Wirelurker malware , which we wrote about here , to install an application (IPA container) on an iOS without a jailbreak, the malware must use the “enterprise provisioning” method and the file to be installed must be signed with a digital certificate issued by Apple. This new application should have the “bundle identifier” of an already installed application (but not the one that is native for iOS), which will allow it to install to access all the files of the old and later send them to the server of the attackers.
')
The new application does not have the ability to overwrite an application built in iOS, for example, Safari or Mail, but using the well-known “bundle identifier” of other applications, it can access all of its confidential data. It can be online banking data, private messages and any other information that interests intruders.
The advantage of the “enterprise provisioning” method is that the application delivered according to this scheme can not be sent to confirm its security to Apple, as is the case with the App Store. In addition, for devices without jailbreak, this is practically the only way to install an application on iOS bypassing the App Store. It is understood that the application will be signed by a certificate issued by Apple, and this is enough to confirm its legitimacy.
Apple
Apple also updated information on the “enterprise provisioning” scheme in its support article.
In an attack scenario using this vulnerability, the user in the message receives a link to install a malicious application that disguises as legitimate. As in the case of iOS / Wirelurker malware , which we wrote about here , to install an application (IPA container) on an iOS without a jailbreak, the malware must use the “enterprise provisioning” method and the file to be installed must be signed with a digital certificate issued by Apple. This new application should have the “bundle identifier” of an already installed application (but not the one that is native for iOS), which will allow it to install to access all the files of the old and later send them to the server of the attackers.
')
The new application does not have the ability to overwrite an application built in iOS, for example, Safari or Mail, but using the well-known “bundle identifier” of other applications, it can access all of its confidential data. It can be online banking data, private messages and any other information that interests intruders.
The advantage of the “enterprise provisioning” method is that the application delivered according to this scheme can not be sent to confirm its security to Apple, as is the case with the App Store. In addition, for devices without jailbreak, this is practically the only way to install an application on iOS bypassing the App Store. It is understood that the application will be signed by a certificate issued by Apple, and this is enough to confirm its legitimacy.
It is possible that we have approved malicious software. You’re not really affected by this attack. I like the app store. If you have a secure online website
Apple
Apple also updated information on the “enterprise provisioning” scheme in its support article.
Source: https://habr.com/ru/post/243279/
All Articles