Microsoft pushes mac users to patch against macOS App Sandbox flaw

Microsoft reported the exploit code for a macOS vulnerability that can lead to attacks

Microsoft researchers release proof-of-concept to help users

Exploit Code for the flaw in the operating system that could help attackers bypass sandbox restrictions and run code on the system. Microsoft pushes users to escape the flaw by patching the vulnerability.^[1] Microsoft detailed the exploit for this bug that was found in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the machine.^[2]

Technical details got listed in the report on the CVE-2022-26706,^[3] where researchers explained how the macOS App Sandbox rules could be avoided by allowing particular malicious macro^[4] code in Word documents to execute commands on the targeted machines.

This is the method successfully used for years by various attackers that deploy malware, and compromise Windows systems, perform cyber attacks. The same can happen with macOS devices that lack proper security updates:

Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes “escape” the sandbox and execute arbitrary commands on an affected device

Malicious attacks on macOS

Microsoft 365 Defender Research Team explains the possibility of attacks on macOS devices using the vulnerability that was recently discovered while the team searched for malicious macros in Microsoft Office documents on macOS. Researchers found that using the Launch Services to run the open – stdin command on the special Python file.

It is noted that Microsoft Word can read and write files with the prefix “~$,” which is defined in the application sandbox rules. Running the command on the file with the particular prefix allows escaping the App Sandbox on macOS. This behavior can lead to potential compromise and system infection.

These malicious macro issues should have been addressed with the automatic/default blocking solutions that Microsoft had to introduce.^[5] The plan was recently taken back without the new deadline for the implementation of the change that could improve cyber security.

The patch is available, and users are encouraged to use it

The team released a proof-of-concept that uses the -stdin notion for the open Command on the Python file to bypass the extended attribute restrictions. The particular demo exploit involves dropping the Python file with the arbitrary commands and the name with the special prefix for Word. Researchers also show that the code is as short as a tweet to prove their point. Microsoft reported the vulnerability to Apple back last year, and the fix was released with the macOS security updates in May 2022 – Big Sur 11.6.6.

There are some myths that cyber attacks on macOS and malware spreading on such devices cannot be real, but this is a false narrative that should be taken more seriously. Malware evolves, and cybercriminals rely on particularly targeted campaigns that affect these Apple machines too. Windows are not the only operating systems that need protection from malware and cybercriminals attacks.

Mac operating systems can be affected by threats and cybercriminals and their campaigns. These threats and cyber infections can be easily distributed using these infectious emails and other pieces where the malicious macro-filled Word files get to be distributed. You need to take care of the security of the machine no matter the OS your device is running on.