CoreLabs, which provides organizations with real-world security intelligence, says there are vulnerabilities in the way Apple implements “sandboxing” in Mac OS X 10.7 (“Lion”). Apple says sandboxing protects the system by limiting the kinds of things an application can do, such as accessing files on disk or resources over the network.

Several of the default pre-defined sandbox profiles don’t properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality, according to CoreLabs, which provides organizations with real-world security intelligence. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork).

A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox, says CoreLabs. A similar issue was reported by Charlie Miller in his talk at Black Hat Japan 2008. He mentioned a few processes sandboxed by default as well as a method to circumvent the protection. Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events, but didn’t modify the generic profiles.

Read more at http://www.coresecurity.com/content/apple-osx-sandbox-bypass .