Microsoft recently disclosed a macOS vulnerability, identified as CVE-2022-26706, that could allow specially crafted codes to escape the App Sandbox and run unrestricted. The findings have been shared with Apple via the Coordinated Vulnerability Disclosure and Microsoft Security Vulnerability Research programs.
A proof-of-concept code is also available. Fortunately, Apple has already released a fix for CVE-2022-26706, which was included in the security updates on May 16, 2022. The disclosure credit has been shared with security researcher Arsenii Kostromin who uncovered a similar technique independently, Microsoft said.
CVE-2022-26706: Technical Description
According to the National Vulnerability Database technical description, the vulnerability is an access issue addressed with additional sandbox restrictions on third-party applications. The vulnerability has been fixed in iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4.
Microsoft came across the issue while researching potential ways to run and detect malicious macros in Microsoft Office on macOS.
“For backward compatibility, Microsoft Word can read or write files with an “~$” prefix. Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix,” the tech giant explained.
The research showcases that even the built-in, baseline security features in macOS could still be bypassed. Collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience, Microsoft added.
It is noteworthy that in June 2022, security researchers discovered a new sandbox evasion technique. Called API hammering, the technique involves the use of a large number of calls to Windows APIs to achieve an extended sleep condition. The latter helps to evade detection in sandbox environments. The discovery comes from Palo Alto’s Unit 42 researchers. The team came across Zloader and BazarLoader samples that used the said API hammering technique.