Security researchers have slammed Apple for failing to fix a flaw in its sandboxing system, despite pushing developers to use it for all apps.
The outburst comes after CoreLabs found flaws in the sandbox system that Apple plans to make compulsory for developers creating Mac apps. Sandboxing keeps apps from accessing key parts of the OS in order to mitigate damage from malware.
The security company said it explained the vulnerabilities to Apple but the Mac maker ignored its September alert, prompting CoreLabs to go public with the warning before Apple had fixed the issue.
“This advisory is in the category 'user release', which is a rare thing for us to do - it means despite our best efforts the vendor chose not to patch the code we identified as vulnerable,” said Alex Horan, senior product manager for CoreLabs, in a blog post.
"Buyer beware is something technology vendors can hide behind – and in my opinion is not a valid reason for letting known issues continue to exist in their products. Because this is a vulnerability within Apple OS X we made a well-thought decision to share information in order to educate users on how to protect themselves from harm.”
According to CoreLabs, the original report to Apple highlighted a problem whereby applications that should not be allowed network access could circumvent the sandbox system, but Apple had yet to make changes or notify users about the issue.
“Several of the default pre-defined sandbox profiles don’t properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality,” CoreLabs said.
“A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.”
Having alerted the company, CoreLabs expected some sort of action, but claims Apple ignored the warning.
“Testing to ensure our recommendations for patching actually address the problem means a lot of work to us,” Horan said. “However, caveat emptor [buyer beware] is something technology vendors can hide behind – and in my opinion [is] not a valid reason for letting known issues continue to exist in their products.”
Apple has yet to respond to a request for comment.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
