∞ Core found something, but it wasn’t a sandboxing security hole

∞ Core found something, but it wasn't a sandboxing security hole

Posted on Monday, November 14th, 2011 at 2:30 pm. PT

Core Research last week issued an advisory saying it found a security hole in the way Apple sandboxes applications. The problem is what they reported is not actually a security hole.

I’ve done some digging over the past few days and here’s what I found. What Core uncovered was a mechanism that’s only used by Apple for its internal system daemons. This isn’t something that developers would actually use for an application, so it doesn’t affect them — or the user — at all.

In fact, Apple’s documentation doesn’t even point to this mechanism to develop with.

What’s more, this is a blacklist mechanism, meaning that you would have to specify, in detail, everything you didn’t want your app to do. If it’s not specified, then it would be allowed to do it.

This is completely unlike the API that developers will use to sandbox their applications. That is a whitelist API, where you have to specify exactly what you want the app to do — everything else is not allowed.

Core also mentioned that the pre-defined profiles don’t properly limit access, but as far as I can tell, they weren’t supposed to. Not even Apple uses the pre-defined profiles because you must specifically blacklist the things you don’t want it to do.

This has nothing to do with the way the Mac App Store will sandbox apps in 2012. Developers will specify what the app should do and it will work as expected.

http://mangochut.net/ mangochutney

Nice reporting Jim. If true this woul be another case of how-to-drum-up-hits-with-non-existent-Apple-security-problems.

It’d be great if you could post some links for further reading on this topic, if openly acessible.

http://www.theangrydrunk.com The Angry Drunk

More precisely, it shows how the vast majority of people running their traps about the evils of App Sandboxing have fuck-all understanding of how it works.

Allan McCoy

So you’re saying that the fact that someone could write an app that took advantage of this non-bug is OK? Cuz Apple doesn’t think so, they kicked the guy who publicized this out of the dev program for getting an app that took advantage of this in the app store for a few months…

At the very least, Apple needs to screen apps to ensure that they don’t take advantage of this non-bug. And either they can’t or they weren’t, hopefully they can now, since it’s public knowledge (at least for some value of public.)

http://www.theangrydrunk.com The Angry Drunk

Regardless of what some of the shoddy reporting on this issue would have you believe the bug that Charlie Miller exploited, which I assume you’re referring to, had nothing to do with this supposed “exploit.”

http://www.bynkii.com/ John C. Welch

It’ll be the best thing that ever happened to its competitors

Anonymous

I don’t see how. Facebook is only getting more powerful as each day passes. No company lasts forever and, while Facebook does have weaknesses to be exploited, they haven’t even peaked yet.

This post just echoes the tragedy of MySpace. They should be the most dominant today but they never truly upgraded their product and they gave the user too much freedom to create crappy, resource intensive web pages.

http://mangochut.net/ mangochutney

Because going public Facebook has to make loads of information public as well. Information that a company doesn’t have to divulge when it’s still privately held.
http://www.bynkii.com/ John C. Welch

It means that instead of being able to make major decisions based on facts, and internal logic, they’ll have to get the approval of a board, and deal with shareholders, and stock analysts.

Lots of money, but you give up a lot in exchange.

http://mangochut.net/ mangochutney

Nail, meet hammer.
Anonymous

Apple seems to be able to make major decisions based on facts and internal logic, without worrying about board approval, shareholders, or stock analysts.

http://www.bynkii.com/ John C. Welch

When was the last time you saw a private company having to prove, every three months, to non-employees, that they still are competent?

Oh Yeah. never.

Microsoft makes a ton of money every year, yet because of the opinions of Stock Analysts, their stock price sucks. They are making products people like, but their stock price sucks. Why? Analysts dislike them.

Steve Jobs dies, and based on that fact alone, Apple’s price tumbled. Was there any evidence to base that on? Some actual proof the company was now not as good? No.

Every quarter, Apple has to do the song and dance to prove to analysts and shareholders that they’re still okay. Every public company has to do that. What determines a public company’s value. Is it profitability? No. Is it product quality and customer satisfaction? No.

It’s how a group of people too incompetent to tie their shoes “feel” about the stock. Analysts. Not customers. Not even shareholders.

So no, Apple actually cannot ignore analysts. They’ve managed to pick their board well, so that they don’t get in the way, but that’s only one part of it. They still have to worry about shareholders, that’s a legal obligation by the way. They still have to kiss up to the analysts so they feel good.

Oh, and then there’s the host of federal/state regulations you have to pay people to deal with if you’re public.

I keep hoping Apple will go private one day, so it can ignore all of that.
http://mangochut.net/ mangochutney

The things Apple could do if they were privately held, would blow pundits’s minds. Scoble, Reisinger and the likes would implode with ignorant rage.

Anonymous

I would change the word ‘unbelievable’ to ‘ridiculous’.
http://mangochut.net/ mangochutney

That’s some brass fucking balls on their side.
On the one hand I can understand why they’re so daring, on the other hand I can see how this could be the biggest tech bubble since the .com-crash.