Recently the researchers at CoreLabs have uncovered avulnerability in the OS X networking sandbox routines that allows a sandboxed program to bypass some of the restrictions imposed on it by the OS.
Sandboxing is supposed to limit a program’s access to hardware (cameras, networking, and microphones) as well as software services in the system (address book, calendars, and directory services), but in this case the CoreLabs researchers have found that a program with limited networking access can use the technology behind AppleScript called “Apple Events” to gain access to network resources.
What this means is in the rare chance that a sandboxed program is hacked or if it crashes or has bugs in it, then it may be able to access the network and send data; however, this is not a serious issue even though on the surface it may seem to be.
Sandboxing is a voluntary way for a developer to restrict its program’s access to system resources such as file access, and network access, in order to keep the system safe from the program if it becomes unstable, is hacked, or otherwise gets compromised. To an extent it is like putting a leash on a dog to ensure that even if properly trained the dog can still be controlled if voice commands or other options do not work. In the case of sandboxing on OS X, the leash is not required but is seen as mutually respectful and beneficial to the community.
While this finding by CoreLabs is technically considered a vulnerability, because sandboxing is voluntary, this development is more of a flaw description than a change to the security of the operating system. Sandboxing has benefits that developers are encouraged to use, but it does burden and restrict developers so at least for now it is not a requirement in the OS (though it soon will be for apps distributed through the Mac App Store). Therefore, even though the sandbox has a hole in it, by not being an integral component to OS X security, there is no real security concern.
In returning to the dog leash analogy, this development is similar to someone finding that the leash buckle may break if used improperly, but since most dogs are well-mannered the leash will be just fine even with this flaw. However, in rare cases a hyper dog that is voluntarily leashed may get away and cause problems because of the flaw.
Overall, this development shows the sandboxing routines in OS X are being tested and the flaws in them are being rooted out, to help developers keep users safe from any unforeseen problems in their programs. As a result, this news is good news for both developers and users, as it ensures an application that is voluntarily sandboxed is not allowed to break the sandbox rules, and is ensured to behave as it is intende