Microsoft tells Mac users to install patches to protect against macOS App Sandbox flaw

Microsoft has detailed an exploit for a flaw its researchers found in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. 

If you have a Mac but haven’t installed Apple’s May 16 security updates for macOS, you should now, according to the Microsoft 365 Defender Research Team. 

The App Sandbox flaw is tracked as CVE-2022-26706.   

“We encourage macOS users to install these security updates as soon as possible. We also want to thank the Apple product security team for their responsiveness in fixing this issue,” writes Jonathan Bar Or of the Microsoft 365 Defender Research Team.

A reason users should install this update is that Microsoft has now shared a proof of concept (POC) exploit in two formats. One POC is long and the other so concise he says it’s a “Tweetable PoC”. 

Apple tagged it as an issue with macOS Launch Services that was fixed with “additional sandbox restrictions on third-party applications”. 

As Microsoft explains, the App Sandbox is Apple’s access control technology in macOS that application developers must adopt to distribute their apps through the Mac App Store. That includes Microsoft which distributes Office apps like Word and Excel in the store. 

App Sandbox is an access control technology provided in macOS, enforced at the kernel level according to Apple. It aims to contain damage to the system and the user’s data if an app becomes compromised by limiting access to sensitive resources on a per-app basis. 

Apple says App Sandbox is “not a silver bullet” but does act as a “last line of defense” against theft, corruption, or deletion of user data, and frustrates attempts to hijack system hardware if an attacker exploits a bug in an app.  

Microsoft’s probe of macOS Launch Services as a means of escaping the sandbox built on previous research by others in 2021, 2020 and 2018 detailing similar vulnerabilities. Last year, researchers at Perception Point found a similar sandbox escape via Launch Services (CVE-2021-30864) . Apple patched it September and disclosed it in January. 

Microsoft said it found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix. Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data.”