The company claims to have notified Apple's product security team on Sept.
If the no-network profile allows Apple-script events, this may result in new applications using the same restriction rules, therefore offering a false sense of security," the Core Security researchers said in their advisory. "An additional risk with these profiles is that they are supposed to provide an example of how a process should be restricted in different scenarios. In practical terms, if an attacker gains access over an application running under the kSBXProfileNoInternet sandbox profile, he could use osascript to launch a separate process that does have access to the Internet, therefore bypassing the restriction. They created a proof-of-concept exploit that leverages this to call "osascript," a scripting language interpreter built into Mac OS X, in order to spawn a separate, non-sandboxed, process. Security researchers from Core Security Technologies discovered that these default profiles allow Apple-script events to be sent to other applications. Another one, called "kSBXProfileNoInternet," can be used to restrict access to the Internet. One of them is called "kSBXProfileNoNetwork" and as the name implies, it restricts an application's access to the local network.
To help developers implement this security feature more easily in their apps, Apple has provided a few default sandbox profiles.
0 kommentar(er)
