Sandboxing flaw is no real problem for OS X

A flaw in the OS X sandboxing routines has been found, but it does not pose a security threat or much of a problem for the Mac.

Recently the researchers at CoreLabs have uncovered a vulnerability in the OS X networking sandbox routines that allows a sandboxed program to bypass some of the restrictions imposed on it by the OS.

Sandboxing is supposed to limit a program's access to hardware (cameras, networking, and microphones) as well as software services in the system (address book, calendars, and directory services), but in this case the CoreLabs researchers have found that a program with limited networking access can use the technology behind AppleScript called "Apple Events" to gain access to network resources.

What this means is in the rare chance that a sandboxed program is hacked or if it crashes or has bugs in it, then it may be able to access the network and send data; however, this is not a serious issue even though on the surface it may seem to be.

Sandboxing is a voluntary way for a developer to restrict its program's access to system resources such as file access, and network access, in order to keep the system safe from the program if it becomes unstable, is hacked, or otherwise gets compromised. To an extent it is like putting a leash on a dog to ensure that even if properly trained the dog can still be controlled if voice commands or other options do not work. In the case of sandboxing on OS X, the leash is not required but is seen as mutually respectful and beneficial to the community.

While this finding by CoreLabs is technically considered a vulnerability, because sandboxing is voluntary, this development is more of a flaw description than a change to the security of the operating system. Sandboxing has benefits that developers are encouraged to use, but it does burden and restrict developers so at least for now it is not a requirement in the OS (though it soon will be for apps distributed through the Mac App Store). Therefore, even though the sandbox has a hole in it, by not being an integral component to OS X security, there is no real security concern.

In returning to the dog leash analogy, this development is similar to someone finding that the leash buckle may break if used improperly, but since most dogs are well-mannered the leash will be just fine even with this flaw. However, in rare cases a hyper dog that is voluntarily leashed may get away and cause problems because of the flaw.

Overall, this development shows the sandboxing routines in OS X are being tested and the flaws in them are being rooted out, to help developers keep users safe from any unforeseen problems in their programs. As a result, this news is good news for both developers and users, as it ensures an application that is voluntarily sandboxed is not allowed to break the sandbox rules, and is ensured to behave as it is intended.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    CNET's giving away a 3D printer

    Enter for a chance to win* the Makerbot Replicator 3D Printer and all the supplies you need to get started.