Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Apple

Mac OS X Sandbox Security Hole Uncovered 155

Posted by samzenpus
from the protect-ya-neck dept.
Gunkerty Jeb writes "Researchers at Core Security Technologies have uncovered a security hole that could allow someone to circumvent the application sandbox restrictions of Mac OS X. The report of the vulnerability, which affects Mac OS X 10.7x, 10.6x and 10.5x, follows Apple's announcement earlier this month that all applications submitted to the Mac App store must implement sandboxing as of March 1, 2012. Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems. Researchers at Core however revealed Nov. 10 that they had warned Apple in September about a vulnerability in their sandboxing approach. According to Core's advisory, several of the default predefined sandbox profiles fail to 'properly limit all the available mechanisms.' As a result, the sandboxing restrictions can be circumvented through the use of Apple events."
This discussion has been archived. No new comments can be posted.

Mac OS X Sandbox Security Hole Uncovered

Comments Filter:
  • by 0racle (667029) on Sunday November 13, 2011 @06:37PM (#38043898)
    Apple recently announced they were pushing back the requirement for sandboxing, originally the requirement was November. Maybe this is why.
  • Nothing to see here (Score:2, Informative)

    by Anonymous Coward

    This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

    It's sad what's happened to Core Security in the past year or so.

    • by Anonymous Coward

      Ever since JavaScript, iOS, and Android became widely hyped, we've heard a lot of fools screaming on about how sandboxing is somehow the solution to all of computing's ills. They claim it'll provide perfect security, and processes will be totally isolated from one another, and performance won't suffer, and a whole host of other claims that are utter bullshit.

      This incident is so important just because it blows a hole in everything these sandbox-loving idiots are claiming. This is important because it's reali

      • Re: (Score:1, Interesting)

        by BasilBrush (643681)

        What a fine collection of strawmen.

        • Re: (Score:1, Troll)

          by LordLimecat (1103839)

          I dont think "strawmen" describes his post-- what idea did he set up for ridicule and then tear down?

          • by Anonymous Coward

            I dont think "strawmen" describes his post-- what idea did he set up for ridicule and then tear down?

            The first two sentences are both statements of fact that are not true:

            """
            Ever since JavaScript, iOS, and Android became widely hyped, we've heard a lot of fools screaming on about how sandboxing is somehow the solution to all of computing's ills. They claim it'll provide perfect security, and processes will be totally isolated from one another, and performance won't suffer, and a whole host of other claims that are utter bullshit.
            """

            • "Untruth" is not the defining characteristic of a strawman. Distorting the opposition's viewpoint into an easily refuted parody IS, and GP did not do that.

              So whatever other problems his post contained, it did NOT contain any strawmen.

      • by Anonymous Coward

        Those of us who have pointed out that all sandboxes are imperfect

        Yeah, so what? Fix bugs when they occur and move on. Sandboxes aren't interesting because they are the end solution to all computer security problems, but because without them you have virtually no protection at all. Sandboxes are a damn good step into the right direction.

        • by RCL (891376)
          We need to stop fighting viruses. This secuirty-oriented crusade starts to seriously threaten our freedom.
    • Broken concept (Score:5, Informative)

      by Anonymous Coward on Sunday November 13, 2011 @07:19PM (#38044092)

      > Yes, the no-network profile only prevents network access.

      1. no-network profile does *not* prevent network access see PoC [1]
      2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless. As a result network access is available to sanboxed applications.

      [1] http://www.coresecurity.com/content/apple-osx-sandbox-bypass

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless.

        A sandbox doesn't have to be watertight to be useful, as the goal isn't just blocking malicious applications, but also inspecting and controlling legitimate applications. Games for example often do network access, even when not needed, a personal firewall or sandbox can prevent that. That the protection can be circumvented isn't an issue here, as that would mean breaking the law and most companies wouldn't go that far just to collect some user data.

    • by Decameron81 (628548) on Sunday November 13, 2011 @07:37PM (#38044212)

      This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

      It's sad what's happened to Core Security in the past year or so.

      No, it's not a fake vulnerability. You should read the report (RTFR?).

      The vulnerability is about how apple events can be used to bypass the sandboxing of an application, and in this particular case to gain unrestrained network access even though the app is tagged as "no-network". According to the report it can be used to bypass other restrictions too.

      • by Anonymous Coward

        From reading the fine report, I can see clearly that the authors are conflating the Leopard-era sandboxing technology with App Sandbox -- which is new in Lion and is what is required by the Mac App Store. Which lends seriously doubts about the credibility of the authors. Go ahead, make a project in Xcode, enable App Sandoxing, and try to send an Apple event...it doesn't work. The authors should have tried the same before making asses out of themselves.

      • by TheRaven64 (641858) on Monday November 14, 2011 @06:29AM (#38046900) Journal
        Yup, no vulnerability at all. Have you read the documentation for using Apple Events? The chances of anyone successfully implementing anything that relies on them is basically zero.
    • by sjames (1099)

      Actually it says that the no-network sandbox which etc. etc. FAILS to prevent some forms of network access.

  • by Anonymous Coward

    Sandboxing is a really good idea, and doesn't introduce much overhead (although communication with devices might be problematic!). Kudos to Apple.

    • http://www.lowendmac.com/newsrev/11mnr/1111.html#1 [lowendmac.com]
      http://www.cultofmac.com/113977/os-x-lion-sandboxing-is-a-killjoy-destined-to-ruin-our-mac-experience/ [cultofmac.com]

      Why make it so you can't the ability to save changes to files that you do not own? Why have it ask for admin rights when doing so?

      • by Anonymous Coward

        Huh? That should be the norm. I don't want any doofus or luser to modify my files.
        Using sudo/su in these circumstances is proper Unix practice. (Mac OS X _is_ in fact a certified Unix system)

        • But your app can't even ask for rights so that makes it hard to edit some.

          and next is a app can't even open other app's files or even see the full file system.
          after that games can't have mods or user maps or use a map editor that is not part of the main game app file.

          • by Anonymous Coward on Sunday November 13, 2011 @07:27PM (#38044144)

            You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

            This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.

            Apple and Microsoft (with Windows 8) are merely 30 years behind those who were the true leaders. But instead of learning from history, they'll spend the next few years causing numerous problems thanks to sandboxing, and then sometime around 2015 or 2016 we'll see support for bypassing the sandbox start getting hyped as a competitive advantage.

            • by drinkypoo (153816)

              This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.

              The wonderful thing about standards is that there are so many of them. Today there's SysV IPC, and there's CORBA, and there's dbus, and there's proprietary interfaces with shared memory, and...

            • by CharlyFoxtrot (1607527) on Sunday November 13, 2011 @09:48PM (#38044892)

              You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

              No they won't because "people" don't understand filesystems, that's a geek thing. That's why so many people have all their files on their desktop. Computing is finally tilting away from geeks and towards making norms comfortable. Don't worry, you'll always have Linux.

              • by makomk (752139)

                The fun thing about sandboxing of the type Apple have come up with is that it actually makes it very hard - or even impossible - for app developers to come up with a better way of organising and finding files than the filesystem. The only way for any application to access any file outside its sandbox or a handful of special directories that it can be granted privileges for (Photos and probably a couple of other ones) is if the user opens that file from the standard OS-provided file open dialog. So you can c

  • by Joe_Dragon (2206452) on Sunday November 13, 2011 @06:57PM (#38044000)

    under the sandbox adobe CS apps will not be able to work with each other and even then it will be a hard fit into the app store.
    The top of the line pack is US$ 2,599 way over the apps store max price of $999 and even then that is like $780 for apples cut now I think it costs way less then that to sell it on your own per copy.

    also adobe has upgrade pricing as well. Will the app store system let you have up gate prices? even from older vers not in the app store.

    • That's ok, we absolutely don't want to have every app bought from the app store and run in a sandbox. That makes it too easy for Apple to lock down their entire OS, at which point I have to trash my Mac.
      • by Anonymous Coward

        That's ok, we absolutely don't want to have every app bought from the app store and run in a sandbox. That makes it too easy for Apple to lock down their entire OS, at which point I have to trash my Mac.

        We don't. Take note of the definition of "we" in this context.

        "We" does not include Apple.

      • Besides, Adobe has figured out an even better way to screw their users - they're going to put their heads in the cloud and their fingers in our wallets by switching to a subscription service [adobe.com].

        How do you like them Apples, Charly?

      • Don't give up (Score:5, Interesting)

        by fyngyrz (762201) on Sunday November 13, 2011 @08:26PM (#38044480) Homepage Journal

        No. You don't have to trash your Mac. OS X 10.5.8, Leopard, has the following useful characteristics:

        1) it allows 64-bit data, so apps written for it can process massive data sets when used with 64-bit capable processors;

        2) it comes on optical media, and is both easily installed and duplicated;

        3) it is beginning to receive support from the user community (as opposed to Apple) for the bugs Apple left in it; (console messages in error with cron operations, anyone? -- not anymore)

        4) it supports a wider range of available drivers than either Snow Leopard or Lion (or presumably, any of their successors);

        5) it supports PPC emulation, consequently doesn't obsolete all those years of software, as does Lion;

        6) Apple updates for Leopard that don't implement the problems of Snow Leopard and Lion are available as files;

        7) Most responsible developers still support Leopard (it's still used by ~30% of the installed base)

        8) The more people use Leopard, the healthier the OS X software community will be

        9) No sandboxing -- straight up access according to user permissions. Terrific resistance to non-privileged exploits; the usual vulnerabilities if you're gullible enough to install malware and give it access.

        10) Available for PPC, so entire spectrum of Macs for many years are usable and available as a market. If it ain't broke... don't stop supporting it.

        Speaking as a developer, my company is aiming straight at, and developing under, Leopard; though we do test under Snow Leopard and Lion. It's a shame to have to give up some of the API's we could otherwise use (no one here is interested in implementing features that only work under later OS versions), but clearly it's the right thing to do: unlike Apple, we're not inclined to leave users behind, which is the philosophy that clearly underlies 10.6 and later.

        Leopard is kind of like Apple's version of XP, except without the built-in obsolescence of "activation." It'll work natively for many, many years yet and with the advent of VMs, probably decades after that. It is easily "Hackintoshable." And in the meantime, if enough people drag their feet, maybe even Apple can be made to "get the message" that it isn't OS X that needs to move in the direction of IOS... it's IOS that needs to move in the direction of OS X. You know, things like nested folders, apps that can work filesystem-wide, etc.

        • by AmiMoJo (196126)

          it's IOS that needs to move in the direction of OS X. You know, things like nested folders, apps that can work filesystem-wide, etc

          That would cut directly into Apple's bottom line. Their business model is built around locking both the user and developer into a tightly controlled environment where every transaction generates revenue for them. In the past companies had to court developers, now Apple have created a product where developers desperately want to be on it no matter how bad the deal is. It is more like the game console market than the PC market, except that Apple doesn't have to sell the product at a loss for years before maki

  • Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems.

    I think everyone argues that sandboxing limits the resources applications can access and makes it more difficult for malware to compromise systems. Well, at least for a fully functional application sandbox.

  • Steam can't run in a sandbox so apple can lock them out if they move to more of a app store only system.

    • by smash (1351) on Sunday November 13, 2011 @07:20PM (#38044106) Homepage Journal
      This will not happen. I see this bullshit paranoia all the time. The mac will NOT be app-store only. However, if you CHOOSE to run app store only apps, you get sandboxed, vetted apps from a trusted vendor. Windows 8 is going the same way.
      • Re: (Score:3, Insightful)

        by PopeRatzo (965947) *

        The mac will NOT be app-store only.

        I think some will be app-store only.

        I would not be surprised if iMacs or entry-level Macs become app-store only.

        It appears to me that's the direction Apple is going. If they continue to build non hand-held computers at all, that is. That doesn't seem to be their focus any more, sadly.

        • by Anonymous Coward

          >I would not be surprised if iMacs or entry-level Macs become app-store only.

          Then you clearly don't understand Apple as well as you think you do. Tablets, etc. can be limited, but customers are used to tweaking their desktops or laptops. Apple knows this.

          • by elrous0 (869638) *

            I don't think you appreciate how much more profit Apple makes off their non-PC products these days compared to their Macbooks and desktops. You may still think of Apple as primarily a PC company, but THEY don't. I think they accepted the fact that they would never be dominant in the PC market years ago, but they CAN be dominant in the MP3-player/cellphone/tablet/etc. markets. So guess what they're going to focus on?

            Not only would it not surprise me if Apple made their PC's app-store only, but it wouldn't ev

        • "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers."
      • Windows 8 is not going app store only and but even then MS is more open to in app user maps and addons.

        But steam is big on windows so I don't see that being locked out and there way to many old apps out there as well.

        • by 0123456 (636235)

          Windows 8 is not going app store only and but even then MS is more open to in app user maps and addons.

          I thought Metrosexual apps were going to be app-store only?

          It's going to be hard for any OS developer to turn down the idea of getting 30% of every piece of software installed on a sysem.

      • The mac will NOT be app-store only. However, if you CHOOSE to run app store only apps, you get sandboxed, vetted apps from a trusted vendor. Windows 8 is going the same way

        Metro applications in Windows 8 will only be available through whatever they call the Windows App Store.

    • by itsdapead (734413) on Sunday November 13, 2011 @07:45PM (#38044260)

      Steam can't run in a sandbox so apple can lock them out if they move to more of a app store only system.

      ...and the same is true of MS Office, Adobe CS, Parallels/VMWare etc. So maybe, just maybe, Apple isn't going to lock down OS X until people are no longer buying Macs to run those applications.

      Sure they could decide to go this way - in which case I could feed a Linux or Windows disc in my Mac and give Apple up as a bad job. Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

      OTOH the App Store could develop as somewhere that it was safe for a non-Admin account (Grandad, kids, mere employees) to install software from. The whole system wouldn't need to be locked down.

      • business use will drive UEFI with lot's on xp / 7. At least windows 7 will have to be able to boot that UEFI mode and Linux is used by business for stuff as well alot of the web severs so that is a big area that the OEM will not want to be locked out of.

      • by exomondo (1725132)

        Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

        Why? Just because SecureBoot is available doesn't mean it has to be turned on.

      • by fyngyrz (762201)

        Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

        VM's FTW. :)

  • OSX = IOS (Score:4, Insightful)

    by dezent (952982) on Sunday November 13, 2011 @07:45PM (#38044252)
    What has not yet been lifted in this thread is that OSX and IOS are starting to look a lot more like each other, or OSX is looking a lot more like IOS since Lion upgrade, i think we will see more and more aspects of the mac being locked in. I am seriously looking at going back to Debian for my desktop.
    • Re:OSX = IOS (Score:5, Interesting)

      by fyngyrz (762201) on Sunday November 13, 2011 @08:45PM (#38044594) Homepage Journal

      Agreed; clearly, both environments are going in the wrong direction. IOS needs to become more OS X-like, and OS X needs further development in its natural direction, which is exactly opposite that of where IOS is today.

      Someone at Apple has gotten the wrong idea from the fact that IOS, with its many limits, was good enough for a tablet; they've extrapolated that to think it means that limits are a good thing. They aren't. The best tablet will be the most powerful and flexible tablet, and that won't be one with all the limits we presently see. It'll be one that can legitimately replace the desktop for just about anything you can imagine.

      Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets (which I think is still a little way away due to hardware limitations), Apple's going to be left behind in a flash unless they release OS X for their tablets. I'm a huge iPad user, and I run into its limits each and every day. I look forward to a more powerful alternative, something like OS X on a tablet would be "just the thing."

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets

        Those tablets have been available for well over a decade and they bombed in the marked because nobody wants those fragile pieces of tech. The solution to making a more powerful tablet is in improving iOS, not trying to cram a fragile maintenance heavy desktop OS on a tablet. The future in mainstream computing lies in computers that everybody can use and desktop computers ain't those machines and without radical changes they never will be, seeing how they barely have changed at all in the last decade.

        • by fyngyrz (762201)

          I think -- and we're both guessing here -- that those tablets failed because (a) they were WAY too expensive, and (b) no one had really worked out how a touch interface should work (a stylus sucks, trust me, been there, bloody hated that.) Leopard is a lot less fragile than Windows circa ten years ago, or Linux, which still isn't mature enough or stable enough to consider as of today, IMHO -- it still doesn't even have a decent set of non-encumbered/poisoned/costly GUI widgets.

          I agree about maintainance hea

      • Microsoft was pushing Windows for Tablets for years. No one was interested. Tablets certainly do not need a desktop type OS. Furthermore, the ease and consistency of download and install with the App Store has been a boon to OSX. There's a way in which learning lessons from iOS is good for OSX.

    • They are probably going to converge although no one knows when (definitely not in the short term though, that's the Windows 8 approach.) But the end result won't look like today's iOS. The current iOS is like the orignal Macintosh: can we see its influence on the mac today ? Absolutely. Today's macs however are different in many ways and the make different compromises because they not only serve different needs but they have evolved with the times. The "converged Apple OS" is to iOS as the 128K Mac is to to

  • by Hyperhaplo (575219) on Sunday November 13, 2011 @08:07PM (#38044350)

    With all the recent discussion about software version numbering.. and how it is now redundant .. can someone from the 'I don't think version numbers are needed at all' side of the fence comment regarding how they would have referred to "Mac OS X 10.7x, 10.6x and 10.5x" in the context of this story?

    I recently had a problem with Chrome 9. Took me ages to determine that it was chrome 9 that was the problem, given that it is not an issue on Chrome 11. Just glad my issue wasn't security related (some of the google pages would not render and were iteratively reloading content).

    Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

      Because we've tried it that way many time before, and it's just not practical for getting real work done.

      The typical process model offered by most OSes created within the past 30 years already provides most of the benefits of a sandbox. The processes are isolated, they can be denied access to certain resources, and they can abstract away the physical hardware. But then we find that we need to share data between applications in order to make software that's actually useful. That's why we have files, IPC, net

    • Lion, Snow Leopard and Leopard respectively, updates can be referred to by release date. I think the names are better known than the version numbers by a lot of people. I don't think version numbers are redundant by the way but they could have been completely avoided in this story.

      • by arikol (728226)

        Okay... so, a version released on 09.05.2011, when was that released?
        Well, depends on whether the maker is U.S. based or somewhere else in the world.
        (there are two logical ways of ordering dates, detail->less detail->least detail, or least detail->more detail->most detail. That translates to day-month-year, or year-month-day. Then there is the U.S. way, which would be stuck on quite a few bits of software.)

        So we would have numbers going both ways, sometimes within the same company (with offices

        • You know we've got computers these days that'll display dates in your local format right ?
          Everybody is doing dates wrong anyway. It should be YYYYMMDD.

          • As it happens I am currently a Configuration Manager.. to answer this and the GP.. this is something which is currently a royal pain to deal with.. and not just for databases. It happens all over the place with values with multiple meanings. Not everything translates these 'common' values, such as dates, into the "local" or "correct" value.

            I recently spent a whole month sorting this out for application CIs.. it's not pretty or fun to deal with.

            I agree with your point though: This could have easily have ref

  • This is just one more example of Apple being unaware/clueless of tech outside of Apple. I sincerely hope Apple isn't claiming this as another one of their innovations.

    The fundamental approach is flawed. They chose to use a special "launchd" app to control this rather than adding the extra security to the OS kernel fork/exec. Hence, the security flaw that these researchers found.

    In typical Apple fashion, after being notified, they're trying to sweep it under the rug by revising the developer documenta

I have not yet begun to byte!

Working...