Apple fails to fix a longstanding sandbox vulnerability in OS X

TABLET AND SMARTPHONE MAKER Apple has failed to fix a bug in its Mac OS X operating system that allows processes to bypass the sandbox protection in place.

The flaw was discovered by Anibal Sacco and Matias Eissler from Core Security Technologies. They let Apple know about the problem on 20 September, and while Apple acknowledged their submission, it said that it did not see any security threat, forcing the Core Security Technologies team to publish the report to the public this month.

The problem appears to be with the use of Apple events in several default profiles, including the no-network and no-internet ones. When Apple events are dispatched a process can escape the sandbox, which could be exploited by hackers.

The vulnerability could lead to a compromised application restricted by the use of the no-network profile gaining access to network resources through the use of Apple events to execute other applications that are not restricted by the sandbox, making it a significant security threat.

Only the more recent versions of Mac OS X are vulnerable to this bug, including 10.5.x, 10.6.x, and 10.7.x. Those using 10.4.x are safe from the exploit.

What is interesting about this bug is that it has existed, in one form or another, since 2008. Back then security expert Charlie Miller gave a talk at Black Hat Japan showing how to circumvent the sandbox protection. Apple responded by restricting the use of Apple events in the cited profiles, but did not modify the generic profiles themselves, leaving OS X still vulnerable to attack.

Three years later and we're still seeing the problem. Let's hope that it's not as undying as the daylight savings time bug on IOS. µ