Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac OS X Sandbox Security Hole Uncovered

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

Security 155

Gunkerty Jeb writes "Researchers at Core Security Technologies have uncovered a security hole that could allow someone to circumvent the application sandbox restrictions of Mac OS X. The report of the vulnerability, which affects Mac OS X 10.7x, 10.6x and 10.5x, follows Apple's announcement earlier this month that all applications submitted to the Mac App store must implement sandboxing as of March 1, 2012. Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems. Researchers at Core however revealed Nov. 10 that they had warned Apple in September about a vulnerability in their sandboxing approach. According to Core's advisory, several of the default predefined sandbox profiles fail to 'properly limit all the available mechanisms.' As a result, the sandboxing restrictions can be circumvented through the use of Apple events."

Sorry! There are no comments related to the filter you selected.

bugger (-1)

Anonymous Coward | more than 2 years ago | (#38043862)

bugs found in sand pit == scream!

Legalize Marijuana!!! (-1)

Anonymous Coward | more than 2 years ago | (#38043864)

Stop the madness! Smoke some dope!

Re:Legalize Marijuana!!! (-1)

Anonymous Coward | more than 2 years ago | (#38044230)

It's Apple, I'm sure they were smoking something else when all of this was going on.

Re:Legalize Marijuana!!! (1)

ozmanjusri (601766) | more than 2 years ago | (#38045396)

Cork?

Put off requiring sandboxing (5, Interesting)

0racle (667029) | more than 2 years ago | (#38043898)

Apple recently announced they were pushing back the requirement for sandboxing, originally the requirement was November. Maybe this is why.

Re:Put off requiring sandboxing (0, Informative)

Anonymous Coward | more than 2 years ago | (#38043992)

No, this is unrelated to the upcoming Sandbox requirements. This is not related to the iOS style sandbox requirements coming to the Mac AppStore at all... Just some garbage slashdot is spreading...

Nothing to see here (2, Informative)

Anonymous Coward | more than 2 years ago | (#38043902)

This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

It's sad what's happened to Core Security in the past year or so.

Re:Nothing to see here (0, Troll)

MichaelKristopeit353 (1968162) | more than 2 years ago | (#38043930)

slashdot = stagnated

Re:Nothing to see here (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38043952)

But for some reason you're still here, stroking your e-peen and casting your 3-inch shadow.

Re:Nothing to see here (-1)

Anonymous Coward | more than 2 years ago | (#38044104)

Why'd you have to go and give him the attention he so desperately craves? Now we'll never get shot of that prick.

Don't. Feed. The. Trolls.

Re:Nothing to see here (-1, Offtopic)

MichaelKristopeit353 (1968162) | more than 2 years ago | (#38044114)

you're an ignorant hypocrite.

why do you cower in my shadow? what are you afraid of?

you're completely pathetic.

Re:Nothing to see here (-1, Troll)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#38044160)

you're. an. ignorant. hypocrite.

Re:Nothing to see here (-1, Troll)

MichaelKristopeit400 (1972448) | more than 2 years ago | (#38044172)

are you suggesting there is absolutely no potential for redemption of this internet website chat room message board?

do you know what stagnation implies?

you're an idiot.

cower in my shadow some more, feeb.

you're completely pathetic.

Re:Nothing to see here (-1)

Anonymous Coward | more than 2 years ago | (#38044246)

are you suggesting there is absolutely no potential for redemption of this internet website chat room message board?

You attempted to state an equality. Equalities don't have the potential to become untrue tomorrow. Things that have the potential to become untrue tomorrow are not equalities.

Re:Nothing to see here (0)

MichaelKristopeit400 (1972448) | more than 2 years ago | (#38044340)

i didn't attempt to state an equality... i did state an equality... you're an idiot. you = idiot.

the president of the united states = barack obama.

equality has absolutely nothing to do with potential to become untrue... however, you will never not be an idiot, so i guess that's a bad example.

cower in my shadow some more, feeb.

you're completely pathetic.

Re:Nothing to see here (-1, Offtopic)

epyT-R (613989) | more than 2 years ago | (#38044392)

you sure it's 3in? did you use your iphone based 'acoustic ruler' to measure?

Re:Nothing to see here (1)

MichaelKristopeit403 (1978294) | more than 2 years ago | (#38044466)

considering their measurement would be from a fantasy of theirs, it's equally irrelevant either way.

No, this is a very serious issue. (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38044006)

Ever since JavaScript, iOS, and Android became widely hyped, we've heard a lot of fools screaming on about how sandboxing is somehow the solution to all of computing's ills. They claim it'll provide perfect security, and processes will be totally isolated from one another, and performance won't suffer, and a whole host of other claims that are utter bullshit.

This incident is so important just because it blows a hole in everything these sandbox-loving idiots are claiming. This is important because it's reality putting their silly theoretical beliefs in the spotlight, where everyone can see just how full of shit the "sandboxing is the answer!" crowd is.

Those of us who have pointed out that all sandboxes are imperfect, and are merely another tool in our toolbox, have been proven right once again. After all, we've been dealing with these sandboxing techniques since they were first implemented on mainframe systems, and then later in most commercial UNIX systems and the BSDs, and then by the JVM and .NET.

Sandboxing has its place. Like I said, it's one tool among many. But it's not the savior that so many have claimed it to be, especially as of late. I suppose that we shouldn't be surprised that these fools are so wrong. After all, many of these "programmers" only know JavaScript. Hell, some of them were born after 1990, a good 20 years after we realized what the problems were with sandboxing after it had been implemented on mainframes back in the 1960s and 1970s.

Re:No, this is a very serious issue. (1, Interesting)

BasilBrush (643681) | more than 2 years ago | (#38044862)

What a fine collection of strawmen.

Re:No, this is a very serious issue. (-1)

Anonymous Coward | more than 2 years ago | (#38044964)

Ah, so you're one of those fellows. You can't actually argue against your opponent's points, so you resort to making false accusations of fallacies that you don't even actually understand.

Try again. Try to argue the points.

Re:No, this is a very serious issue. (1)

MichaelKristopeit404 (1978298) | more than 2 years ago | (#38044968)

you're an ignorant hypocrite.

Re:No, this is a very serious issue. (0, Troll)

LordLimecat (1103839) | more than 2 years ago | (#38045004)

I dont think "strawmen" describes his post-- what idea did he set up for ridicule and then tear down?

Re:No, this is a very serious issue. (1)

Anonymous Coward | more than 2 years ago | (#38045120)

I dont think "strawmen" describes his post-- what idea did he set up for ridicule and then tear down?

The first two sentences are both statements of fact that are not true:

"""
Ever since JavaScript, iOS, and Android became widely hyped, we've heard a lot of fools screaming on about how sandboxing is somehow the solution to all of computing's ills. They claim it'll provide perfect security, and processes will be totally isolated from one another, and performance won't suffer, and a whole host of other claims that are utter bullshit.
"""

Re:No, this is a very serious issue. (1)

Anonymous Coward | more than 2 years ago | (#38045298)

Those of us who have pointed out that all sandboxes are imperfect

Yeah, so what? Fix bugs when they occur and move on. Sandboxes aren't interesting because they are the end solution to all computer security problems, but because without them you have virtually no protection at all. Sandboxes are a damn good step into the right direction.

Broken concept (5, Informative)

Anonymous Coward | more than 2 years ago | (#38044092)

> Yes, the no-network profile only prevents network access.

1. no-network profile does *not* prevent network access see PoC [1]
2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless. As a result network access is available to sanboxed applications.

[1] http://www.coresecurity.com/content/apple-osx-sandbox-bypass

Re:Broken concept (0)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#38044138)

a sandbox which *only* prevents network access is completely useless.

so every firewall application or appliance is completely useless? maybe SELinux should change it's name to CULinux.

you're an idiot.

Re:Broken concept (1)

mattventura (1408229) | more than 2 years ago | (#38044208)

I think what he means is that if it only tries to prevent network access but does not properly restrict access to other parts of the system, then the application can indirectly get at least some network access.

Re:Broken concept (1, Offtopic)

MichaelKristopeit401 (1976824) | more than 2 years ago | (#38044394)

"proper" is relative to intention... if one application is trusted to engage in network activity, and another application that isn't trusted to engage in network activity, but is trusted to communicate with the other application and proxy network requests through it, that isn't a breakdown in security... it's completely proper, as the intention was for ease of security policy administration.

Re:Broken concept (2)

drinkypoo (153816) | more than 2 years ago | (#38044242)

firewall != sandbox

A sandbox is a limited privilege execution environment. That is different from a firewall, or an ACL list, or an IP table, et cetera.

you're a schmuck.

Re:Broken concept (0)

MichaelKristopeit401 (1976824) | more than 2 years ago | (#38044370)

ur mum's face're a schmuck.

a firewall is a limited privilege execution environment... the execution of delivery of bits from a source to a target... exactly the same as the sandbox controls used to keep bits out of the execution stack. you're an ignorant hypocrite.

cower in my shadow some more behind your chosen fecal consumption based pseudonym, feeb.

you're completely pathetic.

Re:Broken concept (1)

hairyfeet (841228) | more than 2 years ago | (#38044360)

The only idiot here is you Mikey "400 accounts and counting" dipshit, if you honestly don't know the difference between a sandbox and a firewall. The WHOLE POINT of a sandbox is to restrict the entire application to a pre approved reduced permission set, such as the sandboxing on Chromium or the Windows "low rights mode' for browsers like Chromium and IE, whereas a firewall is only for restricting access to the Internet based on either pre approved rules or heuristics.

So here is a thought Mikey, instead of working on getting your magical 1000th account because you can't quit being a retard, why don't you try actually reading up on the subjects you are gonna post about so you won't be retarded in the first place? how about that?

Re:Broken concept (1)

MichaelKristopeit402 (1978292) | more than 2 years ago | (#38044440)

the only idiot here is ur mum's face.

if you honestly can't see the similarities between a sandbox and a firewall, then the WHOLE POINT of your ignorant hypocrisy is to show that you're an uninformed moron.

a firewall controls the flow of bits to and from the network stack... a sandbox controls the flow of bits to and from the execution stack... fundamentally they are exactly the same.

cower in my shadow some more behind your chosen podiatric follicle based pseudonym, feeb.

you're completely pathetic. how about that?

Re:Broken concept (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38045204)

2. The concept itself is broken, a sandbox which *only* prevents network access is completely useless.

A sandbox doesn't have to be watertight to be useful, as the goal isn't just blocking malicious applications, but also inspecting and controlling legitimate applications. Games for example often do network access, even when not needed, a personal firewall or sandbox can prevent that. That the protection can be circumvented isn't an issue here, as that would mean breaking the law and most companies wouldn't go that far just to collect some user data.

Re:Nothing to see here (5, Informative)

Decameron81 (628548) | more than 2 years ago | (#38044212)

This is a fake story about a fake hole. The "vulnerability" is that some sandbox profile, called "no-network", which isn't part of App Sandbox (a totally different sandbox technology, that will be required for apps on March 2012), but rather part of the legacy sandbox technology that was unused by 3rd party developers, only prevents network access. Yes, the no-network profile only prevents network access.

It's sad what's happened to Core Security in the past year or so.

No, it's not a fake vulnerability. You should read the report (RTFR?).

The vulnerability is about how apple events can be used to bypass the sandboxing of an application, and in this particular case to gain unrestrained network access even though the app is tagged as "no-network". According to the report it can be used to bypass other restrictions too.

Re:Nothing to see here (1)

MichaelKristopeit403 (1978294) | more than 2 years ago | (#38044514)

if a "no-network" app is allowed to communicate with a "yes-network" app, then network requests can obviously be proxied... that isn't a vulnerability. you should read the dictionary (RTFD?).

Re:Nothing to see here (1)

Anonymous Coward | more than 2 years ago | (#38045194)

The report gives an easy example of how the "no-network" app, can easily create and launch itself a "yes-network" script. How is that not a vulnerability?

That's basically an escalation vulnerability caused by a design flaw. Once again, I understand your confusion, but RTFR.

Re:Nothing to see here (0)

MichaelKristopeit404 (1978298) | more than 2 years ago | (#38045294)

from TFR:

"Assume that an attacker provides you with a file containing his contact information and that a vulnerability in the address book allows the malicious user to take control of the application."

it isn't that it's not a vulnerability... it's that it's based on an assumption of vulnerability.

you're an idiot.

cower in my shadow some more, feeb.

you're completely pathetic.

Apple users get told again. (-1)

Anonymous Coward | more than 2 years ago | (#38043922)

Steve Jobs got his security hole exploited last month, and now apple fanboys are getting it too [goatse.ru] .

Re:Apple users get told again. (-1)

Anonymous Coward | more than 2 years ago | (#38044058)

I know puberty can be a tough time. Hang in there, keep being a prick on the internet if it helps you release that stress, you'll be a grown up soon.

Kudos to Apple (1)

Anonymous Coward | more than 2 years ago | (#38043928)

Sandboxing is a really good idea, and doesn't introduce much overhead (although communication with devices might be problematic!). Kudos to Apple.

apples sandbox goes to far and for muilt user setu (2)

Joe_Dragon (2206452) | more than 2 years ago | (#38043950)

http://www.lowendmac.com/newsrev/11mnr/1111.html#1 [lowendmac.com]
http://www.cultofmac.com/113977/os-x-lion-sandboxing-is-a-killjoy-destined-to-ruin-our-mac-experience/ [cultofmac.com]

Why make it so you can't the ability to save changes to files that you do not own? Why have it ask for admin rights when doing so?

Re:apples sandbox goes to far and for muilt user s (1)

Anonymous Coward | more than 2 years ago | (#38044008)

Huh? That should be the norm. I don't want any doofus or luser to modify my files.
Using sudo/su in these circumstances is proper Unix practice. (Mac OS X _is_ in fact a certified Unix system)

Re:apples sandbox goes to far and for muilt user s (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38044040)

But your app can't even ask for rights so that makes it hard to edit some.

and next is a app can't even open other app's files or even see the full file system.
after that games can't have mods or user maps or use a map editor that is not part of the main game app file.

Sandbox holes will then become a "feature". (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38044144)

You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.

Apple and Microsoft (with Windows 8) are merely 30 years behind those who were the true leaders. But instead of learning from history, they'll spend the next few years causing numerous problems thanks to sandboxing, and then sometime around 2015 or 2016 we'll see support for bypassing the sandbox start getting hyped as a competitive advantage.

Re:Sandbox holes will then become a "feature". (1)

drinkypoo (153816) | more than 2 years ago | (#38044248)

This is exactly what IPC was on UNIX systems, for instance. It allowed unrelated and isolated processes to communicate with one another. For a while it was one of the big selling points of certain commercial UNIX variants.

The wonderful thing about standards is that there are so many of them. Today there's SysV IPC, and there's CORBA, and there's dbus, and there's proprietary interfaces with shared memory, and...

Re:Sandbox holes will then become a "feature". (3, Insightful)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38044892)

You're absolutely right. This is always the path taken with sandboxing. Once people realize that the sandbox is preventing them from getting real work done, the next hyped "feature" is usually some way to bypass the sandbox.

No they won't because "people" don't understand filesystems, that's a geek thing. That's why so many people have all their files on their desktop. Computing is finally tilting away from geeks and towards making norms comfortable. Don't worry, you'll always have Linux.

Re:Sandbox holes will then become a "feature". (0)

cheeks5965 (1682996) | more than 2 years ago | (#38044944)

That's why so many people have all their files on their desktop.

[citation needed]

Re:Sandbox holes will then become a "feature". (3, Insightful)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38045172)

Just go look at some Windows users in the wild. The fact that they had to create an automatic desktop cleanup wizard for Windows speaks volumes. People who do this all say the same thing: it's convenient, they know where the files are and don't have to think about it. We are catagorizers, we think in trees and hierarchies, normal people just use stacks. As in: a stack of papers on my desk ("it's in here somewhere") and a stack of files on their desktop.

Part of this is solved by search, like Gmail does: don't sort your mail, just search it. Apple also does this with Spotlight, its system wide search. Another solution is to keep data tied to an app. Arguably Apple already does this with iTunes and iPhoto which are backed by folders but folders you never need to go into because you access your data through the apps. The data stays in the app where you "left it" until you explicitely export it in some way. This seems much more intuitive to normal people and works well with sandboxing. It's also abhorrent to geeks because they fear lock-in although personally I think it's difficult to imagine lock-in in an internet connected world where the first feature users ask of their software is easy sharing.

Re:Sandbox holes will then become a "feature". (2)

Moridineas (213502) | more than 2 years ago | (#38045354)

I really think this has far more to do with your personality and organizational type than geek vs non-geek. It's pretty well established that people organize in different ways (stackers, spreaders, filers, etc). I guess it's probable that there's some correlation in that perhaps computers geeks are more likely to be filers, but that's not been my personal experience.

I keep a ton of files on my Desktop at any one time. I don't think that in any way disqualifies me from being a geek! Likewise, one of the artists I work with NEVER has a single sheet of paper on her desk (beyond the one or two she is currently working on) and has only a single icon on her desktop. Does that make her a geek?

Re:Sandbox holes will then become a "feature". (0)

cheeks5965 (1682996) | more than 2 years ago | (#38045362)

We are catagorizers, we think in trees and hierarchies, normal people just use stacks.

when drawing a distinction between "we" and "normal people", please don't lump me in with the former!

Re:Sandbox holes will then become a "feature". (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38045400)

Sorry, you're on Slashdot. "Gooble, gobble one of us, one of us." [youtube.com]
If it makes you feel better you can think of it as normal++.

under the sandbox adobe CS apps will not be able t (2)

Joe_Dragon (2206452) | more than 2 years ago | (#38044000)

under the sandbox adobe CS apps will not be able to work with each other and even then it will be a hard fit into the app store.
The top of the line pack is US$ 2,599 way over the apps store max price of $999 and even then that is like $780 for apples cut now I think it costs way less then that to sell it on your own per copy.

also adobe has upgrade pricing as well. Will the app store system let you have up gate prices? even from older vers not in the app store.

Re:under the sandbox adobe CS apps will not be abl (2)

phantomfive (622387) | more than 2 years ago | (#38044176)

That's ok, we absolutely don't want to have every app bought from the app store and run in a sandbox. That makes it too easy for Apple to lock down their entire OS, at which point I have to trash my Mac.

Re:under the sandbox adobe CS apps will not be abl (1)

Anonymous Coward | more than 2 years ago | (#38044384)

That's ok, we absolutely don't want to have every app bought from the app store and run in a sandbox. That makes it too easy for Apple to lock down their entire OS, at which point I have to trash my Mac.

We don't. Take note of the definition of "we" in this context.

"We" does not include Apple.

Re:under the sandbox adobe CS apps will not be abl (1)

ColdWetDog (752185) | more than 2 years ago | (#38044470)

Besides, Adobe has figured out an even better way to screw their users - they're going to put their heads in the cloud and their fingers in our wallets by switching to a subscription service [adobe.com] .

How do you like them Apples, Charly?

Don't give up (5, Interesting)

fyngyrz (762201) | more than 2 years ago | (#38044480)

No. You don't have to trash your Mac. OS X 10.5.8, Leopard, has the following useful characteristics:

1) it allows 64-bit data, so apps written for it can process massive data sets when used with 64-bit capable processors;

2) it comes on optical media, and is both easily installed and duplicated;

3) it is beginning to receive support from the user community (as opposed to Apple) for the bugs Apple left in it; (console messages in error with cron operations, anyone? -- not anymore)

4) it supports a wider range of available drivers than either Snow Leopard or Lion (or presumably, any of their successors);

5) it supports PPC emulation, consequently doesn't obsolete all those years of software, as does Lion;

6) Apple updates for Leopard that don't implement the problems of Snow Leopard and Lion are available as files;

7) Most responsible developers still support Leopard (it's still used by ~30% of the installed base)

8) The more people use Leopard, the healthier the OS X software community will be

9) No sandboxing -- straight up access according to user permissions. Terrific resistance to non-privileged exploits; the usual vulnerabilities if you're gullible enough to install malware and give it access.

10) Available for PPC, so entire spectrum of Macs for many years are usable and available as a market. If it ain't broke... don't stop supporting it.

Speaking as a developer, my company is aiming straight at, and developing under, Leopard; though we do test under Snow Leopard and Lion. It's a shame to have to give up some of the API's we could otherwise use (no one here is interested in implementing features that only work under later OS versions), but clearly it's the right thing to do: unlike Apple, we're not inclined to leave users behind, which is the philosophy that clearly underlies 10.6 and later.

Leopard is kind of like Apple's version of XP, except without the built-in obsolescence of "activation." It'll work natively for many, many years yet and with the advent of VMs, probably decades after that. It is easily "Hackintoshable." And in the meantime, if enough people drag their feet, maybe even Apple can be made to "get the message" that it isn't OS X that needs to move in the direction of IOS... it's IOS that needs to move in the direction of OS X. You know, things like nested folders, apps that can work filesystem-wide, etc.

Re:Don't give up (0)

Anonymous Coward | more than 2 years ago | (#38045210)

Too bad Mac devs were all so eager to go Intel only. Leopard is still useful, but your just frozen in time, unable to use newer applications.

Oh and a more ap description would be its like Apple's version of 2000. Good OS but some important things you may want just aren't available to you. God forbid your stuck with a PPC machine/boot anchor. My sexy mini sits there way underutilized because of God dam bloated Flash and lazy devs who can't figure out how to write apps that run quickly on a 1.42GHz G4. That's just a sad end to a fine architecture that should be allowed to be far more useful today then it currently is.

Re:Don't give up (1)

fyngyrz (762201) | more than 2 years ago | (#38045266)

Too bad Mac devs were all so eager to go Intel only. Leopard is still useful, but your just frozen in time, unable to use newer applications.

Well, no, actually.

  You're unable to use applications that use later OS's as a target. You can, however, use many, many brand new apps (and many, including ours, that aren't even out yet will be usable as well), because it is 100% practical and reasonable to target Leopard and work just fine on Snow Leopard and Lion at the same time -- you can even do it by intelligently checking for the existence of more advanced APIs. That is entirely in the developer's hands. Any app that will *only* work on Lion was aimed, at best, at (right now) about 16% of the users out there, because that's the current Lion adoption. Twice that many users are still on Leopard.


God forbid your stuck with a PPC machine/boot anchor. My sexy mini sits there way underutilized because of God dam bloated Flash and lazy devs who can't figure out how to write apps that run quickly on a 1.42GHz G4. That's just a sad end to a fine architecture that should be allowed to be far more useful today then it currently is.

Sorry? Look, I've got an 8-core, 3 GHz, mucho RAM + multiple TB class HD system on my desk, but I've also got two PPC minis; one serves just fine as a media machine, the other does useful duty in my music studio, displaying tabs, playing cuts from iTunes, hunting down lyrics, allowing me to compose, etc. And then there's Mame. How else are you going to play accurate versions of Omega Race, etc.? Seriously, the PPC machines can be as useful as you let them be. As for Flash... I guess I never really cared. Never saw it on IOS, either, never missed anything I considered important. And now, Adobe has quit mobile flash... RIP.

Sandboxing limits resources (1)

inpher (1788434) | more than 2 years ago | (#38044018)

Sandboxing, Apple has argued, limits the resources applications can access and makes it more difficult for malware to compromise systems.

I think everyone argues that sandboxing limits the resources applications can access and makes it more difficult for malware to compromise systems. Well, at least for a fully functional application sandbox.

Steam can't run in a sandbox so apple can lock the (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38044050)

Steam can't run in a sandbox so apple can lock them out if they move to more of a app store only system.

Re:Steam can't run in a sandbox so apple can lock (5, Informative)

smash (1351) | more than 2 years ago | (#38044106)

This will not happen. I see this bullshit paranoia all the time. The mac will NOT be app-store only. However, if you CHOOSE to run app store only apps, you get sandboxed, vetted apps from a trusted vendor. Windows 8 is going the same way.

Re:Steam can't run in a sandbox so apple can lock (2, Insightful)

PopeRatzo (965947) | more than 2 years ago | (#38044166)

The mac will NOT be app-store only.

I think some will be app-store only.

I would not be surprised if iMacs or entry-level Macs become app-store only.

It appears to me that's the direction Apple is going. If they continue to build non hand-held computers at all, that is. That doesn't seem to be their focus any more, sadly.

Re:Steam can't run in a sandbox so apple can lock (1)

Anonymous Coward | more than 2 years ago | (#38044296)

>I would not be surprised if iMacs or entry-level Macs become app-store only.

Then you clearly don't understand Apple as well as you think you do. Tablets, etc. can be limited, but customers are used to tweaking their desktops or laptops. Apple knows this.

Re:Steam can't run in a sandbox so apple can lock (-1)

fyngyrz (762201) | more than 2 years ago | (#38044556)

Then you clearly don't understand Apple as well as you think you do. Tablets, etc. can be limited, but customers are used to tweaking their desktops or laptops. Apple knows this.

No, I think it is you who doesn't understand Apple. Customers were used to using drivers for scanners and etc, Apple took that away (effectively taking away the supported hardware) in Snow Leopard by breaking tons of them -- and never going back to fix them. Customers were used to being able to run the PPC apps they had spent many dollars on... Apple took that away in Lion. Customers have been used to apps (oh, I dunno, like Photoshop?) that were part of a system of apps that worked with their data, and Apple's taking that away within the bounds of the app store... and you think it's unlikely that this policy will spread outside the store? Buddy, Apple does what it wants -- they are *famous* for doing "teh stupidz" -- folders that don't nest under IOS, "wifi sync" that doesn't work under Leopard, a 4-year old native OS, while it does under XP, a ten year old non-native OS, they break the living hell out of IOS apps with just about every "upgrade", forcing developers to put up Yet Another Version of their app to correct for the incompatibilities...

When your reasoning depends upon Apple doing things because customers have expectations, your reasoning is no better than a random guess. Apple makes roadmaps, has "visions", and then aims at them. Up until Leopard and IOS4, they were doing pretty well at hitting the target, though of course everyone wanted more. 10.6 and later, IOS5... these are huge bags of fail from several perspectives, most especially from the one you're using to make your assertion: Apple doesn't aim at keeping customers expectations static.

Re:Steam can't run in a sandbox so apple can lock (1, Insightful)

Jeremi (14640) | more than 2 years ago | (#38044740)

Buddy, Apple does what it wants -- they are *famous* for doing "teh stupid"

Yup, if there's one thing Apple is famous for, it's their inept decision making. That's why they are doing so poorly and their products are so unpopular.

Re:Steam can't run in a sandbox so apple can lock (4, Interesting)

fyngyrz (762201) | more than 2 years ago | (#38044784)

Apple built their business on good decision making, no question. But also no question, they've made grave errors recently. Why do you think Lion has such a low adoption? Why do you think the Apple fora are full of complaints? Why do you think so many IOS apps are crashing, and why the advertised features of IOS5 don't work? Why is it that Apple isn't doing sufficient testing prior to release? Why is it that they are leaving so many existing, recent customers out in the cold? Why is it that they are dumbing down OS X applications? They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.

As the financial dweebs say: past history is no guarantee of future performance. But past history is what gets a company to wherever they are, today.

As soon as you learn to distinguish these two concepts, you'll begin to understand what is happening.

Re:Steam can't run in a sandbox so apple can lock (0)

cheeks5965 (1682996) | more than 2 years ago | (#38045030)

Why do you think Lion has such a low adoption?

[[citation needed]]

Why do you think the Apple fora are full of complaints?

[[citation needed]]

Why do you think so many IOS apps are crashing, and why the advertised features of IOS5 don't work?

[[citation needed]]

Why is it that Apple isn't doing sufficient testing prior to release?

[[citation needed]]

Why is it that they are leaving so many existing, recent customers out in the cold?

[[citation needed]]

They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.

[[citation needed]]

Re:Steam can't run in a sandbox so apple can lock (0)

Anonymous Coward | more than 2 years ago | (#38045104)

Unfortunately you're clearly too dense to even use google so you obviously don't have the intellectual capacity to comprehend citations for the claims anyway.

Re:Steam can't run in a sandbox so apple can lock (4, Informative)

fyngyrz (762201) | more than 2 years ago | (#38045132)

Google Lion Adoption [lmgtfy.com]

Google Apple fora complaints [lmgtfy.com]

IOS5 feature not working [lmgtfy.com]

IOS app crashing [lmgtfy.com]

Why is it that Apple isn't doing sufficient testing prior to release?

[[citation needed]]

if apps are crashing and drivers don't work and features don't work and data is being lost and batteries are being consumed too fast at release time... they're not doing enough testing. Or is that too complex an idea for you to wrap your head around? Go read the apple support forums, for FSM's sake. Your profound ignorance is annoying.


Why is it that they are leaving so many existing, recent customers out in the cold?

[[citation needed]]

Seriously? Ok, starting with Snow Leopard, there's a huge list [wikidot.com] . With Lion, I'm just going to point at them dropping the PPC emulator and see if you get it (keeping mind that there are many additional issues similar to those at the above Snow Leopard incompatibility monitor. But, you know, Google it [lmgtfy.com] .)


They're aiming at the middle of the Gaussian now... and that isn't, historically speaking, their Mac customer base.

[[citation needed]]

Oh, Jeez, low-hanging fruit. I'm sorry (well, not very): [says nothing, points finger straight at you]

...and so on. Google. It's useful, if you learn how to use it. You just put the question you have in the little box, then press the little magnifying glass picture. You can do it.

PS: Nothing I said was in the least an exaggeration or hyperbole: I'm an active Mac and IOS user and an OS X developer, and in these matters, I am reasonably well informed.

Re:Steam can't run in a sandbox so apple can lock (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38045042)

Lion's 16% installed base [theverge.com] is NOT bad after only 4 months. The Apple fora have always been full of complaints. All the rest is just opinions and conjecture on your part, how about some figures ?

Re:Steam can't run in a sandbox so apple can lock (1)

fyngyrz (762201) | more than 2 years ago | (#38045212)


Lion's 16% installed base is NOT bad after only 4 months.

No? $29.95 for all your machines? Sounds like a bloody bargain to me -- seriously, it does. Saving a measly $29.95 as compared to 250 new features [apple.com] for your Mac? Some of which, like resizing windows from every edge, and improved gestures, and better networking, to name just a few, are highly desirable. Also, you don't even need media -- you can just download the thing. Instant access, amazingly low price, extremely generous licensing, lots of new features. Sounds awesome. So why not upgrade?

How about because.... Lion breaks a whole lotta stuff (like, every PPC app and driver anyone ever owned) on top of what Snow Leopard broke [wikidot.com] ? Oh yeah. That would be why. :o)

Also, that's why there are nearly twice as many people still using Leopard (10.5.8), at about 30%. Because Lion is a lousy release on top of another lousy release: Snow Leopard. This is true even though if they upgraded today, they'd get those 250 Lion features plus the Snow Leopard features. [wikipedia.org]

Look, both Snow Leopard and Lion are fine: if you're a new user and you will only buy new, compatible software. And that, no particular surprise, is the demographic that will make Apple the most money. But if you've been with them for a while, as I have, then you may have quite an investment in software. And that can change the picture quite a bit.

All the rest is just opinions and conjecture on your part, how about some figures ?

Not so. see above for figures for the Google-impaired [slashdot.org] .

Re:Steam can't run in a sandbox so apple can lock (1)

Moridineas (213502) | more than 2 years ago | (#38045404)

How about because.... Lion breaks a whole lotta stuff (like, every PPC app and driver anyone ever owned) on top of what Snow Leopard broke [wikidot.com] ? Oh yeah. That would be why. :o)

We have one computer at work that runs Leopard and still has an ancient PPC version of an early Photoshop CS. But really, for most mac users, is this even remotely relevant?

Also, that's why there are nearly twice as many people still using Leopard (10.5.8), at about 30%. Because Lion is a lousy release on top of another lousy release: Snow Leopard. This is true even though if they upgraded today, they'd get those 250 Lion features plus the Snow Leopard features. [wikipedia.org]

Again, do most Mac users (beyond the power users) ever upgrade their OS? Heck, according to one of your links, 6% of all Mac users are still running 6+ year old system software! At my office we don't upgrade windows computers to new major versions, and we VERY RARELY upgrade macs to new major versions. We've got a tiger system and a win2k system still going. FWIW, I started using a Mac with 10.3 and I have always upgraded my OS pretty soon after release. I have opted not to buy Lion, mostly because I don't care for the download, but also none of the features are particularly compelling to me.

Really, the only fitting comparison would be to compare Leopard upgrade numbers to Snow Leopard upgrade numbers to Lion numbers. I don't know how that would like. Snow Leopard over Leopard is probably my favorite OSX upgrade.

Re:Steam can't run in a sandbox so apple can lock (0)

Anonymous Coward | more than 2 years ago | (#38044870)

App-store only:

1. Would breach EU laws on monopolies, market abuses etc
2. I get my scanner drivers from the manufacturer, don't see the problem.

EU laws? (1)

fyngyrz (762201) | more than 2 years ago | (#38045344)

App-store only:

1. Would breach EU laws on monopolies, market abuses etc

It would? How come they let Apple sell IOS apps only from the app store, then? In other words, I can't make an IOS app myself, and sell it to you myself. I have to use the app store. And the EU clearly allows this. How does that fit in with your assertion?

I get my scanner drivers from the manufacturer, don't see the problem.

And if the scanner manufacturer made your driver a while back, and it worked fine, but won't under Lion or Snow Leopard... and there is no update for it (and why should there be? It was working fine, and can continue to work fine as long as you don't install Apple's broken OS)... What then?

Re:Steam can't run in a sandbox so apple can lock (5, Informative)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38044994)

Customers were used to using drivers for scanners and etc, Apple took that away (effectively taking away the supported hardware) in Snow Leopard by breaking tons of them -- and never going back to fix them.

That's a third party problem, they need to support their own devices.

Customers were used to being able to run the PPC apps they had spent many dollars on... Apple took that away in Lion.

After they licensed very expensive software (Rosetta) to give you years to ween yourself of off PPC. I find it hard to imagine another OS vendor expending that much effort to do a seamless transition, even Bill Gates was impressed they pulled the intel switch off as seamlessly as Apple did. Ungrateful much ?

Customers have been used to apps (oh, I dunno, like Photoshop?) that were part of a system of apps that worked with their data, and Apple's taking that away within the bounds of the app store... and you think it's unlikely that this policy will spread outside the store?

Yes, they're not going to piss off a sizeable part of their customer base by making it impossible to run Photoshop or other Pro apps.

Buddy, Apple does what it wants -- they are *famous* for doing "teh stupidz" -- folders that don't nest under IOS, "wifi sync" that doesn't work under Leopard, a 4-year old native OS, while it does under XP, a ten year old non-native OS, they break the living hell out of IOS apps with just about every "upgrade", forcing developers to put up Yet Another Version of their app to correct for the incompatibilities...

Nested folders are a bad idea. People don't get nested hierarchies, spend some time watching non-geeks use computers and you'll see.
Leopard is down to 22% market share [theverge.com] , XP only just dipped below 50% this summer [cnet.com] . There's a vast amount of XP machines out there, so unfortunately Apple should expend the effort to support them.
iOS is a platform that's developing at an enormous pace because mobile is so competitive and fast evolving. Change or get left behind is the name of the game, accumulating backwards compatibility cruft à la Windows would be deadly. That said I have not heard many complaints about breakages.

When your reasoning depends upon Apple doing things because customers have expectations, your reasoning is no better than a random guess. Apple makes roadmaps, has "visions", and then aims at them. Up until Leopard and IOS4, they were doing pretty well at hitting the target, though of course everyone wanted more. 10.6 and later, IOS5... these are huge bags of fail from several perspectives, most especially from the one you're using to make your assertion: Apple doesn't aim at keeping customers expectations static.

You obviously don't like iOS5 and Lion. There are a lot of us who would beg to differ.

Re:Steam can't run in a sandbox so apple can lock (0)

cheeks5965 (1682996) | more than 2 years ago | (#38045000)

Then you clearly don't understand Apple as well as you think you do.

No, I think it is you who doesn't understand Apple.

No, it is YOU, my friend, who doesn't understand Apple! I don't understand your beef. the software works well and respects my limited time. what do I mean by this? I don't have time to waste on defrag, chasing problems down, etc etc barf barf barf. I have a girlfriend. Thank you, apple, for giving me time for other things.

Re:Steam can't run in a sandbox so apple can lock (1)

PopeRatzo (965947) | more than 2 years ago | (#38045384)

I have a girlfriend. Thank you, apple, for giving me time for other things.

So that's all it took? An iPhone and a Macbook and bam! you get a girlfriend? Those are some great products.

There are plenty of lonely-looking Apple users sitting in the coffee shop at 10:30am who are still waiting, it appears. Maybe as usual Apple didn't have enough inventory at roll-out.

Re:Steam can't run in a sandbox so apple can lock (1)

reasterling (1942300) | more than 2 years ago | (#38044484)

"The more you tighten your grip, Tarkin, the more star systems will slip through your fingers."

Re:Steam can't run in a sandbox so apple can lock (1)

mhotchin (791085) | more than 2 years ago | (#38045020)

"Watch me not care."

BOOM

Windows 8 is not going app store only and but even (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38044346)

Windows 8 is not going app store only and but even then MS is more open to in app user maps and addons.

But steam is big on windows so I don't see that being locked out and there way to many old apps out there as well.

Re:Windows 8 is not going app store only and but e (1)

0123456 (636235) | more than 2 years ago | (#38044910)

Windows 8 is not going app store only and but even then MS is more open to in app user maps and addons.

I thought Metrosexual apps were going to be app-store only?

It's going to be hard for any OS developer to turn down the idea of getting 30% of every piece of software installed on a sysem.

anittrust will get in the way of this app store on (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38045024)

anittrust will get in the way of this app store only stuff and lunix will pick up.

Re:Steam can't run in a sandbox so apple can lock (0)

Anonymous Coward | more than 2 years ago | (#38044348)

flash forward, year 2014: major retailers are announcing they'll no longer sell computer or game software in their stores, yet they'll sell passcodes which will allow you to download the software from the major online app stores, this passcode will give you a retailer defined discount. Hint..{apply for your patent now!}

From: we hate microsoft, apple, intel, dell, and hp.

RMS for president!

bandwith need to better for that to work 3g / sate (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38044452)

flash forward, year 2014: major retailers are announcing they'll no longer sell computer or game software in their stores, yet they'll sell passcodes which will allow you to download the software from the major online app stores, this passcode will give you a retailer defined discount. Hint..{apply for your patent now!}

From: we hate microsoft, apple, intel, dell, and hp.

RMS for president!

satellite FAP kills it.
4g caps to low.
Cable ok but caps need to go up and some systems may need more nodes splits to fit the load in.
DSL needs to move up faster speeds with more Adsl2 / other newer techs, some people max out at 1.5 due to being far from the CO or RT.

Re:Steam can't run in a sandbox so apple can lock (2)

fyngyrz (762201) | more than 2 years ago | (#38045352)

RMS for president!

Peak for president! (It's 1.414 times better!)

(cough) sorry.

Re:Steam can't run in a sandbox so apple can lock (5, Insightful)

itsdapead (734413) | more than 2 years ago | (#38044260)

Steam can't run in a sandbox so apple can lock them out if they move to more of a app store only system.

...and the same is true of MS Office, Adobe CS, Parallels/VMWare etc. So maybe, just maybe, Apple isn't going to lock down OS X until people are no longer buying Macs to run those applications.

Sure they could decide to go this way - in which case I could feed a Linux or Windows disc in my Mac and give Apple up as a bad job. Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

OTOH the App Store could develop as somewhere that it was safe for a non-Admin account (Grandad, kids, mere employees) to install software from. The whole system wouldn't need to be locked down.

business use will drive UEFI with lot's on xp / 7 (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38044364)

business use will drive UEFI with lot's on xp / 7. At least windows 7 will have to be able to boot that UEFI mode and Linux is used by business for stuff as well alot of the web severs so that is a big area that the OEM will not want to be locked out of.

Re:Steam can't run in a sandbox so apple can lock (1)

exomondo (1725132) | more than 2 years ago | (#38045116)

Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

Why? Just because SecureBoot is available doesn't mean it has to be turned on.

Re:Steam can't run in a sandbox so apple can lock (1)

fyngyrz (762201) | more than 2 years ago | (#38045360)

Personally, I'd be more worried as to whether MS is going to push UEFI secure boot onto every OEM, making it hard to buy any hardware that let you choose which OS to run.

VM's FTW. :)

OSX = IOS (5, Insightful)

dezent (952982) | more than 2 years ago | (#38044252)

What has not yet been lifted in this thread is that OSX and IOS are starting to look a lot more like each other, or OSX is looking a lot more like IOS since Lion upgrade, i think we will see more and more aspects of the mac being locked in. I am seriously looking at going back to Debian for my desktop.

Re:OSX = IOS (4, Interesting)

fyngyrz (762201) | more than 2 years ago | (#38044594)

Agreed; clearly, both environments are going in the wrong direction. IOS needs to become more OS X-like, and OS X needs further development in its natural direction, which is exactly opposite that of where IOS is today.

Someone at Apple has gotten the wrong idea from the fact that IOS, with its many limits, was good enough for a tablet; they've extrapolated that to think it means that limits are a good thing. They aren't. The best tablet will be the most powerful and flexible tablet, and that won't be one with all the limits we presently see. It'll be one that can legitimately replace the desktop for just about anything you can imagine.

Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets (which I think is still a little way away due to hardware limitations), Apple's going to be left behind in a flash unless they release OS X for their tablets. I'm a huge iPad user, and I run into its limits each and every day. I look forward to a more powerful alternative, something like OS X on a tablet would be "just the thing."

Re:OSX = IOS (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38045254)

Apple is clearly dominating the tablet space right now, but as soon as real operating systems with serious applications hit tablets

Those tablets have been available for well over a decade and they bombed in the marked because nobody wants those fragile pieces of tech. The solution to making a more powerful tablet is in improving iOS, not trying to cram a fragile maintenance heavy desktop OS on a tablet. The future in mainstream computing lies in computers that everybody can use and desktop computers ain't those machines and without radical changes they never will be, seeing how they barely have changed at all in the last decade.

Re:OSX = IOS (2)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38045068)

They are probably going to converge although no one knows when (definitely not in the short term though, that's the Windows 8 approach.) But the end result won't look like today's iOS. The current iOS is like the orignal Macintosh: can we see its influence on the mac today ? Absolutely. Today's macs however are different in many ways and the make different compromises because they not only serve different needs but they have evolved with the times. The "converged Apple OS" is to iOS as the 128K Mac is to todays iMac.

Mac OS X 10.7x, 10.6x and 10.5x (2)

Hyperhaplo (575219) | more than 2 years ago | (#38044350)

With all the recent discussion about software version numbering.. and how it is now redundant .. can someone from the 'I don't think version numbers are needed at all' side of the fence comment regarding how they would have referred to "Mac OS X 10.7x, 10.6x and 10.5x" in the context of this story?

I recently had a problem with Chrome 9. Took me ages to determine that it was chrome 9 that was the problem, given that it is not an issue on Chrome 11. Just glad my issue wasn't security related (some of the google pages would not render and were iteratively reloading content).

Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

Re:Mac OS X 10.7x, 10.6x and 10.5x (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38044478)

Why can't everything be run in its own sandbox? Isn't this where IT security is heading?

Because we've tried it that way many time before, and it's just not practical for getting real work done.

The typical process model offered by most OSes created within the past 30 years already provides most of the benefits of a sandbox. The processes are isolated, they can be denied access to certain resources, and they can abstract away the physical hardware. But then we find that we need to share data between applications in order to make software that's actually useful. That's why we have files, IPC, networking, and a whole bunch of other ways to intentionally break through process isolation.

Sandboxing works great when you're making shitty games that run on some Apple device. But the as soon as you want to do something practical, you need to get rid of these artificial limitations.

Re:Mac OS X 10.7x, 10.6x and 10.5x (2)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38045086)

Lion, Snow Leopard and Leopard respectively, updates can be referred to by release date. I think the names are better known than the version numbers by a lot of people. I don't think version numbers are redundant by the way but they could have been completely avoided in this story.

mac OS X isn't done . . . (0)

Anonymous Coward | more than 2 years ago | (#38044372)

. . . until a Windows virus will run.

Uh Oh (-1)

Anonymous Coward | more than 2 years ago | (#38044930)

In the Apple Campus Hall where many wonderous thingingys were unveilded by Steven P. Jobs, Major Uh Oh stands up!

  I'm selling all Apple Inc. stock and all companies stock associated with Apple Inc.

  Let the war begin.

))__==++

cheaper MLB jerseys (1)

jersey123456 (2485408) | more than 2 years ago | (#38045180)

One NHL jerseys [jerseymall.biz] affair you accept MLB jerseys [jerseymall.biz] to be definite about aback pretty for arrangement NFLjerseys to buy is that you still appetite to get commodity authentic. Correct NFL jerseys accept to be produced by Reebok, that is the simplest way to be NBA jerseys [jerseymall.biz] definite that what you are accepting is the actual, accountant product. Reebok makes Wholesale NFL jerseys [jerseymall.biz] their jerseys in tiers of quality: Authentic, Arch Replica and Replica. Reebok Replica NFL jerseys are the least expensive of the bunch.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?