Mac OS X Sandbox Security Hole Uncovered

Gunkerty Jeb writes "Researchers at Core Security Technologies have uncovered a security hole that could allow someone to circumvent the application sandbox restrictions of Mac OS X. The report of the vulnerability, which affects Mac OS X 10.7x, 10.6x and 10.5x, follows Apple's announcement earlier this month that all applications submitted to the Mac App store must implement sandboxing as of March 1, 2012. Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems. Researchers at Core however revealed Nov. 10 that they had warned Apple in September about a vulnerability in their sandboxing approach. According to Core's advisory, several of the default predefined sandbox profiles fail to 'properly limit all the available mechanisms.' As a result, the sandboxing restrictions can be circumvented through the use of Apple events."

Put off requiring sandboxing

[0racle]

Apple recently announced they were pushing back the requirement for sandboxing, originally the requirement was November. Maybe this is why.

Nothing to see here

This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

It's sad what's happened to Core Security in the past year or so.

Re:Nothing to see here

[Decameron81]

This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

It's sad what's happened to Core Security in the past year or so.

No, it's not a fake vulnerability. You should read the report (RTFR?).

The vulnerability is about how apple events can be used to bypass the sandboxing of an application, and in this particular case to gain unrestrained network access even though the app is tagged as "no-network". According to the report it can be used to bypass other restrictions too.

Re:Nothing to see here

[TheRaven64]

Yup, no vulnerability at all. Have you read the documentation for using Apple Events? The chances of anyone successfully implementing anything that relies on them is basically zero.

Re:Nothing to see here

[elrous0]

Michael, when you're in a hole, stop digging.

apples sandbox goes to far and for muilt user setu

[Joe_Dragon]

http://www.lowendmac.com/newsrev/11mnr/1111.html#1
http://www.cultofmac.com/113977/os-x-lion-sandboxing-is-a-killjoy-destined-to-ruin-our-mac-experience/

Why make it so you can't the ability to save changes to files that you do not own? Why have it ask for admin rights when doing so?

under the sandbox adobe CS apps will not be able t

[Joe_Dragon]

under the sandbox adobe CS apps will not be able to work with each other and even then it will be a hard fit into the app store.
The top of the line pack is US$ 2,599 way over the apps store max price of $999 and even then that is like $780 for apples cut now I think it costs way less then that to sell it on your own per copy.

also adobe has upgrade pricing as well. Will the app store system let you have up gate prices? even from older vers not in the app store.

No, this is a very serious issue.

Ever since JavaScript, iOS, and Android became widely hyped, we've heard a lot of fools screaming on about how sandboxing is somehow the solution to all of computing's ills. They claim it'll provide perfect security, and processes will be totally isolated from one another, and performance won't suffer, and a whole host of other claims that are utter bullshit.

This incident is so important just because it blows a hole in everything these sandbox-loving idiots are claiming. This is important because it's reality putting their silly theoretical beliefs in the spotlight, where everyone can see just how full of shit the "sandboxing is the answer!" crowd is.

Those of us who have pointed out that all sandboxes are imperfect, and are merely another tool in our toolbox, have been proven right once again. After all, we've been dealing with these sandboxing techniques since they were first implemented on mainframe systems, and then later in most commercial UNIX systems and the BSDs, and then by the JVM and .NET.

Sandboxing has its place. Like I said, it's one tool among many. But it's not the savior that so many have claimed it to be, especially as of late. I suppose that we shouldn't be surprised that these fools are so wrong. After all, many of these "programmers" only know JavaScript. Hell, some of them were born after 1990, a good 20 years after we realized what the problems were with sandboxing after it had been implemented on mainframes back in the 1960s and 1970s.

Re:No, this is a very serious issue.

[RCL]

We need to stop fighting viruses. This secuirty-oriented crusade starts to seriously threaten our freedom.

Broken concept

> Yes, the no-network profile only prevents network access.

1. no-network profile does *not* prevent network access see PoC [1]
2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless. As a result network access is available to sanboxed applications.

[1] http://www.coresecurity.com/content/apple-osx-sandbox-bypass

Re:Broken concept

[drinkypoo]

firewall != sandbox

A sandbox is a limited privilege execution environment. That is different from a firewall, or an ACL list, or an IP table, et cetera.

you're a schmuck.

Re:Broken concept

2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless.

A sandbox doesn't have to be watertight to be useful, as the goal isn't just blocking malicious applications, but also inspecting and controlling legitimate applications. Games for example often do network access, even when not needed, a personal firewall or sandbox can prevent that. That the protection can be circumvented isn't an issue here, as that would mean breaking the law and most companies wouldn't go that far just to collect some user data.

Re:Steam can't run in a sandbox so apple can lock

[smash]

This will not happen. I see this bullshit paranoia all the time. The mac will NOT be app-store only. However, if you CHOOSE to run app store only apps, you get sandboxed, vetted apps from a trusted vendor. Windows 8 is going the same way.

Sandbox holes will then become a "feature".

You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.

Apple and Microsoft (with Windows 8) are merely 30 years behind those who were the true leaders. But instead of learning from history, they'll spend the next few years causing numerous problems thanks to sandboxing, and then sometime around 2015 or 2016 we'll see support for bypassing the sandbox start getting hyped as a competitive advantage.

Re:Sandbox holes will then become a "feature".

[CharlyFoxtrot]

You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

No they won't because "people" don't understand filesystems, that's a geek thing. That's why so many people have all their files on their desktop. Computing is finally tilting away from geeks and towards making norms comfortable. Don't worry, you'll always have Linux.

Re:Sandbox holes will then become a "feature".

[CharlyFoxtrot]

Just go look at some Windows users in the wild. The fact that they had to create an automatic desktop cleanup wizard for Windows speaks volumes. People who do this all say the same thing: it's convenient, they know where the files are and don't have to think about it. We are catagorizers, we think in trees and hierarchies, normal people just use stacks. As in: a stack of papers on my desk ("it's in here somewhere") and a stack of files on their desktop.

Part of this is solved by search, like Gmail does: don't sort your mail, just search it. Apple also does this with Spotlight, its system wide search. Another solution is to keep data tied to an app. Arguably Apple already does this with iTunes and iPhoto which are backed by folders but folders you never need to go into because you access your data through the apps. The data stays in the app where you "left it" until you explicitely export it in some way. This seems much more intuitive to normal people and works well with sandboxing. It's also abhorrent to geeks because they fear lock-in although personally I think it's difficult to imagine lock-in in an internet connected world where the first feature users ask of their software is easy sharing.

Re:Sandbox holes will then become a "feature".

[Moridineas]

I really think this has far more to do with your personality and organizational type than geek vs non-geek. It's pretty well established that people organize in different ways (stackers, spreaders, filers, etc). I guess it's probable that there's some correlation in that perhaps computers geeks are more likely to be filers, but that's not been my personal experience.

I keep a ton of files on my Desktop at any one time. I don't think that in any way disqualifies me from being a geek! Likewise, one of the artists I work with NEVER has a single sheet of paper on her desk (beyond the one or two she is currently working on) and has only a single icon on her desktop. Does that make her a geek?

Re:Steam can't run in a sandbox so apple can lock

[PopeRatzo]

The mac will NOT be app-store only.

I think some will be app-store only.

I would not be surprised if iMacs or entry-level Macs become app-store only.

It appears to me that's the direction Apple is going. If they continue to build non hand-held computers at all, that is. That doesn't seem to be their focus any more, sadly.

Re:under the sandbox adobe CS apps will not be abl

[phantomfive]

That's ok, we absolutely don't want to have every app bought from the app store and run in a sandbox. That makes it too easy for Apple to lock down their entire OS, at which point I have to trash my Mac.

OSX = IOS

[dezent]

What has not yet been lifted in this thread is that OSX and IOS are starting to look a lot more like each other, or OSX is looking a lot more like IOS since Lion upgrade, i think we will see more and more aspects of the mac being locked in. I am seriously looking at going back to Debian for my desktop.

Re:OSX = IOS

[fyngyrz]

Agreed; clearly, both environments are going in the wrong direction. IOS needs to become more OS X-like, and OS X needs further development in its natural direction, which is exactly opposite that of where IOS is today.

Someone at Apple has gotten the wrong idea from the fact that IOS, with its many limits, was good enough for a tablet; they've extrapolated that to think it means that limits are a good thing. They aren't. The best tablet will be the most powerful and flexible tablet, and that won't be one with all the limits we presently see. It'll be one that can legitimately replace the desktop for just about anything you can imagine.

Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets (which I think is still a little way away due to hardware limitations), Apple's going to be left behind in a flash unless they release OS X for their tablets. I'm a huge iPad user, and I run into its limits each and every day. I look forward to a more powerful alternative, something like OS X on a tablet would be "just the thing."

Re:OSX = IOS

[CharlyFoxtrot]

They are probably going to converge although no one knows when (definitely not in the short term though, that's the Windows 8 approach.) But the end result won't look like today's iOS. The current iOS is like the orignal Macintosh: can we see its influence on the mac today ? Absolutely. Today's macs however are different in many ways and the make different compromises because they not only serve different needs but they have evolved with the times. The "converged Apple OS" is to iOS as the 128K Mac is to todays iMac.

Re:OSX = IOS

Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets

Those tablets have been available for well over a decade and they bombed in the marked because nobody wants those fragile pieces of tech. The solution to making a more powerful tablet is in improving iOS, not trying to cram a fragile maintenance heavy desktop OS on a tablet. The future in mainstream computing lies in computers that everybody can use and desktop computers ain't those machines and without radical changes they never will be, seeing how they barely have changed at all in the last decade.

Re:Steam can't run in a sandbox so apple can lock

[itsdapead]

Steam can't run in a sandbox so apple can lock them out if they move to more of a app store only system.

...and the same is true of MS Office, Adobe CS, Parallels/VMWare etc. So maybe, just maybe, Apple isn't going to lock down OS X until people are no longer buying Macs to run those applications.

Sure they could decide to go this way - in which case I could feed a Linux or Windows disc in my Mac and give Apple up as a bad job. Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

OTOH the App Store could develop as somewhere that it was safe for a non-Admin account (Grandad, kids, mere employees) to install software from. The whole system wouldn't need to be locked down.

Mac OS X 10.7x, 10.6x and 10.5x

[Hyperhaplo]

With all the recent discussion about software version numbering.. and how it is now redundant .. can someone from the 'I don't think version numbers are needed at all' side of the fence comment regarding how they would have referred to "Mac OS X 10.7x, 10.6x and 10.5x" in the context of this story?

I recently had a problem with Chrome 9. Took me ages to determine that it was chrome 9 that was the problem, given that it is not an issue on Chrome 11. Just glad my issue wasn't security related (some of the google pages would not render and were iteratively reloading content).

Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

Re:Mac OS X 10.7x, 10.6x and 10.5x

Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

Because we've tried it that way many time before, and it's just not practical for getting real work done.

The typical process model offered by most OSes created within the past 30 years already provides most of the benefits of a sandbox. The processes are isolated, they can be denied access to certain resources, and they can abstract away the physical hardware. But then we find that we need to share data between applications in order to make software that's actually useful. That's why we have files, IPC, networking, and a whole bunch of other ways to intentionally break through process isolation.

Sandboxing works great when you're making shitty games that run on some Apple device. But the as soon as you want to do something practical, you need to get rid of these artificial limitations.

Re:Mac OS X 10.7x, 10.6x and 10.5x

[CharlyFoxtrot]

Lion, Snow Leopard and Leopard respectively, updates can be referred to by release date. I think the names are better known than the version numbers by a lot of people. I don't think version numbers are redundant by the way but they could have been completely avoided in this story.

Don't give up

[fyngyrz]

No. You don't have to trash your Mac. OS X 10.5.8, Leopard, has the following useful characteristics:

1) it allows 64-bit data, so apps written for it can process massive data sets when used with 64-bit capable processors;

2) it comes on optical media, and is both easily installed and duplicated;

3) it is beginning to receive support from the user community (as opposed to Apple) for the bugs Apple left in it; (console messages in error with cron operations, anyone? -- not anymore)

4) it supports a wider range of available drivers than either Snow Leopard or Lion (or presumably, any of their successors);

5) it supports PPC emulation, consequently doesn't obsolete all those years of software, as does Lion;

6) Apple updates for Leopard that don't implement the problems of Snow Leopard and Lion are available as files;

7) Most responsible developers still support Leopard (it's still used by ~30% of the installed base)

8) The more people use Leopard, the healthier the OS X software community will be

9) No sandboxing -- straight up access according to user permissions. Terrific resistance to non-privileged exploits; the usual vulnerabilities if you're gullible enough to install malware and give it access.

10) Available for PPC, so entire spectrum of Macs for many years are usable and available as a market. If it ain't broke... don't stop supporting it.

Speaking as a developer, my company is aiming straight at, and developing under, Leopard; though we do test under Snow Leopard and Lion. It's a shame to have to give up some of the API's we could otherwise use (no one here is interested in implementing features that only work under later OS versions), but clearly it's the right thing to do: unlike Apple, we're not inclined to leave users behind, which is the philosophy that clearly underlies 10.6 and later.

Leopard is kind of like Apple's version of XP, except without the built-in obsolescence of "activation." It'll work natively for many, many years yet and with the advent of VMs, probably decades after that. It is easily "Hackintoshable." And in the meantime, if enough people drag their feet, maybe even Apple can be made to "get the message" that it isn't OS X that needs to move in the direction of IOS... it's IOS that needs to move in the direction of OS X. You know, things like nested folders, apps that can work filesystem-wide, etc.

Re:Steam can't run in a sandbox so apple can lock

[fyngyrz]

Apple built their business on good decision making, no question. But also no question, they've made grave errors recently. Why do you think Lion has such a low adoption? Why do you think the Apple fora are full of complaints? Why do you think so many IOS apps are crashing, and why the advertised features of IOS5 don't work? Why is it that Apple isn't doing sufficient testing prior to release? Why is it that they are leaving so many existing, recent customers out in the cold? Why is it that they are dumbing down OS X applications? They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.

As the financial dweebs say: past history is no guarantee of future performance. But past history is what gets a company to wherever they are, today.

As soon as you learn to distinguish these two concepts, you'll begin to understand what is happening.

Re:Steam can't run in a sandbox so apple can lock

[CharlyFoxtrot]

Customers were used to using drivers for scanners and etc, Apple took that away (effectively taking away the supported hardware) in Snow Leopard by breaking tons of them -- and never going back to fix them.

That's a third party problem, they need to support their own devices.

Customers were used to being able to run the PPC apps they had spent many dollars on... Apple took that away in Lion.

After they licensed very expensive software (Rosetta) to give you years to ween yourself of off PPC. I find it hard to imagine another OS vendor expending that much effort to do a seamless transition, even Bill Gates was impressed they pulled the intel switch off as seamlessly as Apple did. Ungrateful much ?

Customers have been used to apps (oh, I dunno, like Photoshop?) that were part of a system of apps that worked with their data, and Apple's taking that away within the bounds of the app store... and you think it's unlikely that this policy will spread outside the store?

Yes, they're not going to piss off a sizeable part of their customer base by making it impossible to run Photoshop or other Pro apps.

Buddy, Apple does what it wants -- they are *famous* for doing "teh stupidz" -- folders that don't nest under IOS, "wifi sync" that doesn't work under Leopard, a 4-year old native OS, while it does under XP, a ten year old non-native OS, they break the living hell out of IOS apps with just about every "upgrade", forcing developers to put up Yet Another Version of their app to correct for the incompatibilities...

Nested folders are a bad idea. People don't get nested hierarchies, spend some time watching non-geeks use computers and you'll see.
Leopard is down to 22% market share, XP only just dipped below 50% this summer. There's a vast amount of XP machines out there, so unfortunately Apple should expend the effort to support them.
iOS is a platform that's developing at an enormous pace because mobile is so competitive and fast evolving. Change or get left behind is the name of the game, accumulating backwards compatibility cruft à la Windows would be deadly. That said I have not heard many complaints about breakages.

When your reasoning depends upon Apple doing things because customers have expectations, your reasoning is no better than a random guess. Apple makes roadmaps, has "visions", and then aims at them. Up until Leopard and IOS4, they were doing pretty well at hitting the target, though of course everyone wanted more. 10.6 and later, IOS5... these are huge bags of fail from several perspectives, most especially from the one you're using to make your assertion: Apple doesn't aim at keeping customers expectations static.

You obviously don't like iOS5 and Lion. There are a lot of us who would beg to differ.

Re:Steam can't run in a sandbox so apple can lock

[fyngyrz]

Google Lion Adoption

Google Apple fora complaints

IOS5 feature not working

IOS app crashing

Why is it that Apple isn't doing sufficient testing prior to release?

[[citation needed]]

if apps are crashing and drivers don't work and features don't work and data is being lost and batteries are being consumed too fast at release time... they're not doing enough testing. Or is that too complex an idea for you to wrap your head around? Go read the apple support forums, for FSM's sake. Your profound ignorance is annoying.

Why is it that they are leaving so many existing, recent customers out in the cold?

[[citation needed]]

Seriously? Ok, starting with Snow Leopard, there's a huge list. With Lion, I'm just going to point at them dropping the PPC emulator and see if you get it (keeping mind that there are many additional issues similar to those at the above Snow Leopard incompatibility monitor. But, you know, Google it.)

They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.

[[citation needed]]

Oh, Jeez, low-hanging fruit. I'm sorry (well, not very): [says nothing, points finger straight at you]

...and so on. Google. It's useful, if you learn how to use it. You just put the question you have in the little box, then press the little magnifying glass picture. You can do it.

PS: Nothing I said was in the least an exaggeration or hyperbole: I'm an active Mac and IOS user and an OS X developer, and in these matters, I am reasonably well informed.

Re:Steam can't run in a sandbox so apple can lock

[fyngyrz]

RMS for president!

Peak for president! (It's 1.414 times better!)

(cough) sorry.