The Inquirer-Home

Apple fails to fix a longstanding sandbox vulnerability in OS X

Bug could allow processes to bypass sandbox protection
Mon Nov 14 2011, 12:08

TABLET AND SMARTPHONE MAKER Apple has failed to fix a bug in its Mac OS X operating system that allows processes to bypass the sandbox protection in place.

The flaw was discovered by Anibal Sacco and Matias Eissler from Core Security Technologies. They let Apple know about the problem on 20 September, and while Apple acknowledged their submission, it said that it did not see any security threat, forcing the Core Security Technologies team to publish the report to the public this month.

The problem appears to be with the use of Apple events in several default profiles, including the no-network and no-internet ones. When Apple events are dispatched a process can escape the sandbox, which could be exploited by hackers.

The vulnerability could lead to a compromised application restricted by the use of the no-network profile gaining access to network resources through the use of Apple events to execute other applications that are not restricted by the sandbox, making it a significant security threat.

Only the more recent versions of Mac OS X are vulnerable to this bug, including 10.5.x, 10.6.x, and 10.7.x. Those using 10.4.x are safe from the exploit.

What is interesting about this bug is that it has existed, in one form or another, since 2008. Back then security expert Charlie Miller gave a talk at Black Hat Japan showing how to circumvent the sandbox protection. Apple responded by restricting the use of Apple events in the cited profiles, but did not modify the generic profiles themselves, leaving OS X still vulnerable to attack.

Three years later and we're still seeing the problem. Let's hope that it's not as undying as the daylight savings time bug on IOS. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?