Move over, iOS: CoreLabs Research has posted a public notification of a potential security vulnerability in Mac OS X's sandboxing mechanisms. According to CoreLabs, it's possible for sandboxed apps to trigger external processes that aren't sandboxed and possibly gain privileges not granted by a particular sandboxing profile. The revelation comes shortly after Apple announced it would force apps distributed via its Mac App Store to use sandboxing, ostensibly to increase security for Mac OS X users.

Apps that conform to Apple's sandbox design use a set of "entitlement" profiles defined by Apple; those profiles determine which system resources it can use and which are off limits. CoreLabs discovered that some of the limits in the default profiles can actually be circumvented by triggering certain Apple Events. In particular, Apple Events can cause launchd to launch a separate process without sandbox restrictions.

CoreLabs explained that a default profile that restricts an app from network access, for instance, could open a socket via osascript, thereby working around the network access restriction. Beyond the obvious potential for a malicious app to break out of the sandbox, these default profiles also set a potentially bad example for developers who think they are locking down their apps properly. "If the no-network profile allows AppleScript events, this may result in new applications using the same restriction rules, therefore offering a false sense of security," CoreLabs explained in its vulnerability report.

Senior Product Manager Alex Horan criticized Apple's response to the vulnerability as well—the response being nothing, mostly. After being notified of the vulnerability, Apple apparently decided to merely modify its documentation to point out "that the restrictions that these particular sandbox profiles provide are limited to the process in which the sandbox is applied."

Horan believes this could leave users at risk. He noted that similar sandboxing profile vulnerabilities were discovered by security researcher Charlie Miller in 2008. "At that time Apple modified the profile to prevent the vulnerability reported from being triggered, so the question remains: why has Apple chosen not to do that in this instance?" he wrote.

If Apple's response to sandbox flaws is to ignore them—as it appears to have done in this case—then users will end up with apps limited by the sandboxing restrictions without the improved security they were promised.

Of course, developers are still debating whether Apple's sandboxing requirements will actually improve security or not. Security researcher Jonathan Zdziarski told Ars that he believes the potential downsides aren't worth the supposed security improvements. Noted Mac OS X developer Wil Shipley wrote that sandboxing simply isn't an elegant solution to security issues on the desktop as it has been on iOS. "[Sandboxing] entitlements are a binary solution—if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch," he wrote.