OS X sandboxing flaw casts doubt on upcoming Mac App Store requirement
Sandboxing provides a method for an operating system to restrict which system resources are available to an application. According to the security firm, vulnerabilities in the feature extend to the three latest releases of Mac OS X: Leopard, Snow Leopard and Lion.
"Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality," the vulnerability's description read.
In particular, an application without approved network access could send Apple events "to invoke the execution of other applications not directly restricted by the sandbox." The firm also noted that the issue resembles one reported by famed security expert Charlie Miller at the Black Hat Japan security conference in 2008. Apple apparently fixed the mentioned issue, but neglected to "modify the generic profiles."
Apple had originally required all submitted Mac App Store apps to support sandboxing by this month, but the company recently pushed the deadline back to March of next year.
"As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing," Apple reportedly said in an email to developers, as noted by TUAW.
The Cupertino, Calif., company is implementing the policy in an effort to maintain security on the Mac App Store, but a number of developers have complained that the rule is overly restrictive. The recently revealed vulnerability has only added fuel to their cause, as some assert that the sandbox requirement is flawed because sandboxing itself is vulnerable.
Some have also taken issue with how Apple has handled the news of the vulnerability. Core notified Apple of the issue in September to allow ample time for it to address the issue before going public with the problem. According to the firm, Apple responded that it "does not see any actual security implications" because documentation for the NoNetwork sandbox profile does not actually promise that Apple events will be blocked.
Core replied that the vulnerability allows Apple events to eventually execute sockets-based networking, which is supposed to be blocked by the NoNetwork sandbox profile. Apple then agreed to modify its documentation to make note of the issue.
While the Mac App Store is only one option for adding software to a Mac, some critics of Apple's restrictions have voiced concerns that the company could move toward the iOS model. The App Store on iOS is currently the only legitimate source for applications on the mobile OS.