The presentation discusses a bug in LaunchServices that allowed an attacker to escape the App Sandbox and bypass privacy protections. The talk covers five different exploits and three different patches, as well as remaining attack surfaces and defense tools.
- The App Sandbox is a security measure designed to contain damage from malicious apps or compromised apps from the Mac App Store.
- LaunchServices allows apps to launch other apps or open files, and is explicitly allowed in the Seatbelt profile.
- The bug in LaunchServices allowed an attacker to escape the App Sandbox and bypass privacy protections.
- The presentation covers five different exploits and three different patches.
- Remaining attack surfaces include application-specific environment variables.
- Defense tools include a PR to the Objective-C tool process monitor and the TrueTree tool for detecting parent-child relationships in launched apps.
The presentation gives an example of how an attacker could escape the macro sandbox and inject into an Electron app to abuse its TCC privileges and entitlements. The presentation also notes that some apps are already protecting themselves by disabling the 'run as node' fuse, but many are not.