14 DAY TRIAL // Titled “Apple OS X Sandbox Predefined Profiles Bypass”, a security advisory over at CoreLabs Research describes a potential flaw that could allow rogue apps to execute commands without input, or knowledge from the user.
Affecting OS X Leopard, Snow Leopard, and Lion, the vulnerability is described as such:
“Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.”
CoreLabs appropriately points out that its was a famous security researcher who originally discovered a similar issue a few years back.
The hacker in question, none other than Charlie Miller, mentioned a few processes sandboxed by default and a method to circumvent the protection in his talk at Black Hat Japan 2008.
“Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events but did not modify the generic profiles,” CoreLabs says.
CoreLabs Research credits Anibal Sacco and Matias Eissler from Core Security Technologies for discovering and documenting the flaw in question, while the firm’s Carlos Sarraute coordinated the publication of their advisory.
The full report, complete with a more technical description and proof-of-concept code, can be found here: http://www.coresecurity.com/content/apple-osx-sandbox-bypass
In related news, a developer writing code for Delicious Monster also issued a take on Apple’s decision to enforce a sandboxing requirement for Mac App Store apps, noting that “they are forcing developers to use the wrong [tools].” Full story here.