Mac OS X Sandbox Security Hole Uncovered 155
Gunkerty Jeb writes "Researchers at Core Security Technologies have uncovered a security hole that could allow someone to circumvent the application sandbox restrictions of Mac OS X. The report of the vulnerability, which affects Mac OS X 10.7x, 10.6x and 10.5x, follows Apple's announcement earlier this month that all applications submitted to the Mac App store must implement sandboxing as of March 1, 2012. Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems. Researchers at Core however revealed Nov. 10 that they had warned Apple in September about a vulnerability in their sandboxing approach. According to Core's advisory, several of the default predefined sandbox profiles fail to 'properly limit all the available mechanisms.' As a result, the sandboxing restrictions can be circumvented through the use of Apple events."
Put off requiring sandboxing (Score:5, Interesting)
Sandbox holes will then become a "feature". (Score:4, Interesting)
You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.
This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.
Apple and Microsoft (with Windows 8) are merely 30 years behind those who were the true leaders. But instead of learning from history, they'll spend the next few years causing numerous problems thanks to sandboxing, and then sometime around 2015 or 2016 we'll see support for bypassing the sandbox start getting hyped as a competitive advantage.
Don't give up (Score:5, Interesting)
No. You don't have to trash your Mac. OS X 10.5.8, Leopard, has the following useful characteristics:
1) it allows 64-bit data, so apps written for it can process massive data sets when used with 64-bit capable processors;
2) it comes on optical media, and is both easily installed and duplicated;
3) it is beginning to receive support from the user community (as opposed to Apple) for the bugs Apple left in it; (console messages in error with cron operations, anyone? -- not anymore)
4) it supports a wider range of available drivers than either Snow Leopard or Lion (or presumably, any of their successors);
5) it supports PPC emulation, consequently doesn't obsolete all those years of software, as does Lion;
6) Apple updates for Leopard that don't implement the problems of Snow Leopard and Lion are available as files;
7) Most responsible developers still support Leopard (it's still used by ~30% of the installed base)
8) The more people use Leopard, the healthier the OS X software community will be
9) No sandboxing -- straight up access according to user permissions. Terrific resistance to non-privileged exploits; the usual vulnerabilities if you're gullible enough to install malware and give it access.
10) Available for PPC, so entire spectrum of Macs for many years are usable and available as a market. If it ain't broke... don't stop supporting it.
Speaking as a developer, my company is aiming straight at, and developing under, Leopard; though we do test under Snow Leopard and Lion. It's a shame to have to give up some of the API's we could otherwise use (no one here is interested in implementing features that only work under later OS versions), but clearly it's the right thing to do: unlike Apple, we're not inclined to leave users behind, which is the philosophy that clearly underlies 10.6 and later.
Leopard is kind of like Apple's version of XP, except without the built-in obsolescence of "activation." It'll work natively for many, many years yet and with the advent of VMs, probably decades after that. It is easily "Hackintoshable." And in the meantime, if enough people drag their feet, maybe even Apple can be made to "get the message" that it isn't OS X that needs to move in the direction of IOS... it's IOS that needs to move in the direction of OS X. You know, things like nested folders, apps that can work filesystem-wide, etc.
Re:OSX = IOS (Score:5, Interesting)
Agreed; clearly, both environments are going in the wrong direction. IOS needs to become more OS X-like, and OS X needs further development in its natural direction, which is exactly opposite that of where IOS is today.
Someone at Apple has gotten the wrong idea from the fact that IOS, with its many limits, was good enough for a tablet; they've extrapolated that to think it means that limits are a good thing. They aren't. The best tablet will be the most powerful and flexible tablet, and that won't be one with all the limits we presently see. It'll be one that can legitimately replace the desktop for just about anything you can imagine.
Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets (which I think is still a little way away due to hardware limitations), Apple's going to be left behind in a flash unless they release OS X for their tablets. I'm a huge iPad user, and I run into its limits each and every day. I look forward to a more powerful alternative, something like OS X on a tablet would be "just the thing."
Re:Steam can't run in a sandbox so apple can lock (Score:5, Interesting)
Apple built their business on good decision making, no question. But also no question, they've made grave errors recently. Why do you think Lion has such a low adoption? Why do you think the Apple fora are full of complaints? Why do you think so many IOS apps are crashing, and why the advertised features of IOS5 don't work? Why is it that Apple isn't doing sufficient testing prior to release? Why is it that they are leaving so many existing, recent customers out in the cold? Why is it that they are dumbing down OS X applications? They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.
As the financial dweebs say: past history is no guarantee of future performance. But past history is what gets a company to wherever they are, today.
As soon as you learn to distinguish these two concepts, you'll begin to understand what is happening.
Re:No, this is a very serious issue. (Score:1, Interesting)
What a fine collection of strawmen.