Flaw threatens Mac OSX sandboxing

Apple Inc.'s attempt to have developers sandbox their apps by 2012 may not be foolproof, a security research firm said. CoreLabs said a compromised app restricted by Apple's "no-network" profile may still have access to network resources through Apple events. The Apple events in turn can execute other applications not directly restricted by the sandbox, it said. "In our (proof of concept) we used 'osascript' to send the required Apple events to launched in order to execute the new process. As the new process is not a 'child' of the sandboxed process, it is created without the sandbox restrictions," it said. Worse, it said that if the no-network profile allows Apple-script events, this may result in new applications using the same restriction rules, "therefore offering a false sense of security." Starting March 2012, Apple will require developers to submit sandboxed apps to the Mac App Store to gain approval. The sandboxing process restricts the system resources available to an app, meaning that the app cannot execute certain commands that would control other software or parts of the operating system. But CoreLabs said the potential flaw may allow rogue apps to excecute commands without the knowledge of the user. It said the vulnerabilities exist in Mac OS X Leopard, Snow Leopard and Lion, according to an article on PC World. PC World said CoreLabs has reported the issue to Apple but said Apple "does not see any actual security implications" though Cupertino has not made any official public statement about CoreLabs finding. — TJD, GMA News