CVE-2014-8828

Vulnerability

The sandbox implementation in Apple OS X before version 10.10 (Yosemite) contains a vulnerability that allows a sandboxed application to write to the sandbox-profile cache. This occurs when the application's path includes a com.apple.sandbox segment. The bug resides in the sandbox profile cache handling logic, which does not properly validate paths containing this segment.

Exploitation

An attacker must have the ability to execute a sandboxed application that includes a com.apple.sandbox segment in its file path. By crafting or controlling such an application, the attacker can trigger the sandbox mechanism to write to the sandbox-profile cache. No additional authentication or network access is required beyond the ability to run the sandboxed app.

Impact

Successful exploitation allows the attacker to write arbitrary data to the sandbox-profile cache. This can lead to modification of sandbox profiles, potentially enabling privilege escalation or escape from the sandbox environment. The exact scope of compromise depends on the content written to the cache.

Mitigation

Apple addressed this issue in OS X Yosemite v10.10.2 and Security Update 2015-001 [1]. Users should update to these or later versions. No workarounds are documented for systems that cannot be updated.