Published: July 23, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Hackers could be having a field day going by the recent revelation by Microsoft researchers, along with researcher, Arsenii Kostromin. Both independently found a security vulnerability in the MacOS App Sandbox. This flaw could allow attackers to remotely run arbitrary code on any compromised machine once they were able to take control the MacOS Launch Services. And thinking you’re safe because you have all the security features enabled that are possible on your Mac won’t save you from this one.
Developers are required to use the App Sandbox to get their apps through the MacOS App Store. Per the Microsoft release, “Essentially, an app’s processes are enforced with customizable rules, such as the ability to read or write specific files. The App Sandbox also restricts the processes’ access to system resources and user data to minimize the impact or damage if the app becomes compromised.” If it’s exploited, hackers can bypass the built-in security features and compromise user data and the system as a whole on the affected device.
App Sandbox is the technology in MacOS that manages access control by containing any potential damage from malicious apps by providing baseline security within the apps. But if the malware manages to get past that, it could run unrestricted on the devices by gaining elevated privileges.
The MacOS App Sandbox flaw that Microsoft is warning about was identified as CVE-2022-26706. Hackers only need to install hardware interfaces which would allow them to install undetectable malware and overwrite system files within the MacOS system. In turn, this could lead to corruption and deletion of user data.
Microsoft reportedly discovered the vulnerability as they were researching for ways one can detect malicious macros in Microsoft Office on MacOS. It was noted that the vulnerability may also activate macros in MS-word launch documents. Macros are disabled by default by Microsoft for all files outside their trusted networks as a user protection measure and shouldn’t be enabled, unless you created the macros, or you know who did and trust them.
Apple has released a patch for the vulnerability and MacOS users are therefore strongly urged to install current security updates as soon as possible in order to prevent loss of important data or corruption of system files.
This is not the first time a potential exploit was found bypassing the sandbox security. In 2018, it was reported by another organization that a vulnerability in Microsoft Office for MacOS could possibly allow an attacker to bypass the App Sandbox using Microsoft Word documents. At that time, the researchers also provided a proof-of-concept (POC) exploit that took advantage of Word to being allowed to drop files with arbitrary contents into arbitrary directories. This was possible as long as the filenames began with “~$.”
It is, however, important to note that this finding by Microsoft is a POC exploit as well and as far as is known, has not been exploited by hackers. But it’s only a matter of time before that changes.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com