Security researchers break out of Apple's sandbox
Apple not fussed
Researchers claim to have discovered a vulnerability with the sandbox security mechanism used by Apple.
The sandbox, which is baked into the kernel of Mac OS X, is designed to apply application restrictions, so that code that has no reason to access a network isn't able to access a corporate LAN or the internet, for example. The restriction means that even if the code contains bugs, hackers will be stuck if they try to exploit the vulnerability to do anything else.
All applications published through the App Store "must implement sandboxing" by the start of March 2012.
However, at least according to Core Security, the sandboxing is flawed. Processes directly spawned by a sandboxed application are blocked but indirectly spawned processes are permitted, according to Core, which has published an advisory containing harmless proof of concept code to illustrate its concerns.
The upshot of this is that "you can use Apple Script to tell OS X to start some other arbitrary program (or a second copy of your own) which won't inherit your sandbox settings," explains Paul Ducklin of net security firm Sophos.
Rather than make its sandbox harder to break out of, Apple reportedly wants to address Core's finding by documenting that its restrictions can't be assumed to apply to any process other than the sandboxed one. Core is less than satisfied by this response and wants stricter sandbox controls.
The timeline of Core's dialogue with Apple over the issue once again illustrates the problematic relationship between Apple and security researchers most clearly illustrated by its expulsion of renowned security researcher Charlie Miller from its developer programme last week. Miller found a security hole in iOS that created a means for an application download new unapproved software onto an iPhone or iPad. An application he created exploiting this vulnerability was approved and published on Apple's App Store.
This earned Apple's ire, and expulsion, but if Miller hadn't proved that the problem was real Apple might have been tempted to dismiss it as purely theoretical. ®