SimpleMDM Team Discovers iOS Certificate Security Vulnerability

Among a number of enhancements released with iOS 9.3, a security vulnerability discovered by the SimpleMDM team has also been patched.

The vulnerability CVE-2016-1766, discovered in October of last year, allowed an untrusted MDM profile to be considered as trusted. This permitted third parties to falsely identify themselves and appear as trusted by iOS. The vulnerability was rated CVSS 10, the highest vulnerability score possible based on impact and exploitability.

Upon identifying this vulnerability, we verified our service was not and would not be affected. We then followed responsible disclosure guidelines, which involves notifying appropriate parties of the issue privately and providing them time to patch the vulnerability.