CVE-2014-4493

Vulnerability

The app-installation functionality in MobileInstallation on Apple iOS prior to version 8.1.3 allows an attacker who has access to an enterprise distribution certificate to sign a crafted application. This vulnerability affects iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later running iOS versions before 8.1.3 [1].

Exploitation

An attacker must first obtain or have access to a valid enterprise distribution certificate, which is typically used for internal app distribution. With this certificate, the attacker signs a maliciously crafted app and installs it on a target device. The installation process does not properly restrict the app's container, allowing the attacker to gain control over the local app container [1].

Impact

Successful exploitation gives the attacker control of the local app container, potentially allowing access to sensitive data stored by other apps or the system. This could lead to further compromise of the device's security and user privacy [1].

Mitigation

Apple addressed this issue in iOS 8.1.3, released on January 27, 2015. Users should update their devices to iOS 8.1.3 or later via Settings > General > Software Update. No workarounds are documented for this vulnerability [1].