Apple has a list of 224 root certificates that it trusts. As part
of the attack, the anonymous researchers obtained a signature
certificate from VeriSign for a company named Apple Computer. They
backed the certificate up to disk, then used iPCU to create a
mobileconfig file called “Security Update,” and attributed it to
Apple Computer. They then exported it to disk without a signature
as an XML file. They then signed the file and its CA trust chain
and uploaded it to a Web server.
Opening the file with Safari on an iPhone results in the phone
trusting the configuration file.
Charlie Miller verifies that it works, but also states it doesn’t lead to remote code execution. What popped out at me is that VeriSign issued a security certificate in the name of “Apple Computer” without, you know, verifying that it was Apple.