MacOS has a vulnerability that was discovered by Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox.
The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).
Sandbox Objective
A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.
When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.
Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.
The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.
"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.
