![]() ![]() The company claims to have notified Apple’s product security team on Sept. If the no-network profile allows Apple-script events, this may result in new applications using the same restriction rules, therefore offering a false sense of security,” the Core Security researchers said in “An additional risk with these profiles is that they are supposed to provide an example of how a process should be restricted in different scenarios. In practical terms, if an attacker gains access over an application running under the kSBXProfileNoInternet sandbox profile, he could use osascript to launch a separate process that does have access to the Internet, therefore bypassing the restriction. They created a proof-of-concept exploit that leverages this to call “osascript,” a scripting language interpreter built into Mac OS X, in order to spawn a separate, non-sandboxed, process. ![]() Security researchers from Core Security Technologies discovered that these default profiles allow Apple-script events to be sent to other applications. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |