CyberSecurityBoard
Sponsor Register Login

macOS Bookmarks-Based Sandbox Escape Vulnerability Let Attackers to Delete and Replace a Keychain

Microsoft Defender for Endpoint can detect suspicious keychain manipulation attempts related to this exploit, adding an additional layer of protection for organizations using the security solution. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. While Apple correctly restricted reading access to the com.apple.scopedbookmarksagent.xpc keychain item through strict Access Control Lists (ACL), researchers discovered the protection did not prevent deletion or replacement of the item. When the application attempts to access files using these bookmarks, the ScopedBookmarkAgent validates the forged credentials and grants access without additional user consent. The proof-of-concept demonstrated by Microsoft shows how a malicious Office macro could implement this attack chain, though the vulnerability affects any sandboxed app using security-scoped bookmarks. This case highlights how sophisticated attackers continue to find ways to circumvent sandbox protections, reinforcing the need for prompt security updates and comprehensive endpoint security solutions. Apple has addressed the vulnerability “through improved state management” in security updates released for affected systems. This vulnerability affects multiple Apple operating systems, including macOS Ventura, macOS Sequoia, macOS Sonoma, tvOS, iOS, and iPadOS. The exploit enables unauthorized access to sensitive user data and potentially allows for arbitrary code execution with elevated privileges. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. According to Microsoft’s detailed analysis, attackers can exploit a critical flaw in how macOS manages these bookmarks. A security vulnerability in macOS has been discovered. After deletion, attackers can insert a new secret with a known value and attach a permissive ACL that allows broader access. She is covering various cyber security incidents happening in the Cyber Space. It allows malicious actors to escape the App Sandbox protection by manipulating security-scoped bookmarks.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 10:50:06 +0000


Cyber News related to macOS Bookmarks-Based Sandbox Escape Vulnerability Let Attackers to Delete and Replace a Keychain

macOS Bookmarks-Based Sandbox Escape Vulnerability Let Attackers to Delete and Replace a Keychain - Microsoft Defender for Endpoint can detect suspicious keychain manipulation attempts related to this exploit, adding an additional layer of protection for organizations using the security solution. Cyber Security News is a Dedicated News Platform For ...
3 months ago Cybersecuritynews.com
What is a Sandbox? Definition from SearchSecurity - A sandbox is an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run. Using a sandbox to detect malware offers an additional layer of protection against ...
1 year ago Techtarget.com
MirrorFace APT Hackers Exploited Windows Sandbox & Visual Studio Code Using Custom Malware - The campaign, attributed to a threat actor known as “MirrorFace,” a subgroup operating under the APT10 umbrella, exploited Windows Sandbox and Visual Studio Code to execute malicious activities while evading detection from security tools ...
5 months ago Cybersecuritynews.com APT1
Researchers Details macOS Vulnerability That Exposes System Passwords - Gregory explained that this vulnerability could allow unauthorized users or applications to bypass existing security protocols, effectively extracting data from the Keychain without requiring user consent or authentication. This vulnerability ...
4 months ago Cybersecuritynews.com
5 Best Ways a Malware Sandbox Can Help Your Company - Malware sandboxes are indispensable for threat analysis, but many of their capabilities are often overlooked. Malware sandboxes equipped with advanced AI capabilities can significantly enhance the training and productivity of junior security staff. ...
1 year ago Cybersecuritynews.com
Google Adds V8 Sandbox To Chrome To Fight Against Browser Attacks - A Sandbox is a protective medium that blocks the entire system from any application accessing vulnerable resources. Restrictive environments for web content in browsers called sandboxes reduce the impact that can be caused by browser-based attacks ...
1 year ago Gbhackers.com
Apple Faces New Security Dilemma as Infostealers Execute Stealthy Attacks - There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like ...
1 year ago Cysecurity.news
Mozilla warns Windows users of critical Firefox sandbox escape flaw - In October, Mozilla also patched a zero-day vulnerability (CVE-2024-9680) in Firefox's animation timeline feature exploited by the Russian-based RomCom cybercrime group that let the attackers gain code execution in the web browser's sandbox. ...
4 months ago Bleepingcomputer.com CVE-2024-9680
5 Must-Have Tools for Effective Dynamic Malware Analysis - After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims' machines and steal sensitive data. ...
10 months ago Thehackernews.com
CVE-2024-49360 - Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (**UserA**) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox ...
8 months ago
Sophisticated macOS Infostealers Get Past Apple's Built-In Detection - Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary ...
1 year ago Darkreading.com Hunters
CVE-2024-39496 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2006-1446 - Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an application to bypass a locked Keychain by first obtaining a reference to the Keychain when it is unlocked, then reusing that reference after the Keychain has been locked. This vulnerability ...
8 years ago
Exploiting GOG Galaxy XPC service for privilege escalation in macOS - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. MacOS security was one field where I decided to put more effort this year to further improve my exploitation and ...
1 year ago Securityintelligence.com
Google Chrome Vulnerability Let Attackers Escape Payload from Sandbox - Technical Details Disclosed - A critical vulnerability in Google Chrome has recently been discovered that allows malicious actors to break out of the browser’s protective sandbox environment, potentially giving attackers access to the underlying operating system. This ...
3 months ago Cybersecuritynews.com
CVE-2021-21261 - Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox ...
4 years ago
New macOS Malware Employs Process Injection and Remote Communications to Exfiltrate Keychain Credentials - The malware, designated as NimDoor by security researchers, represents a significant evolution in macOS threats through its use of process injection capabilities and encrypted WebSocket communications to steal sensitive user credentials and financial ...
1 month ago Cybersecuritynews.com
MacOS Malware NimDoor Weaponizing Zoom SDK Update to Steal Keychain Credentials - Upon execution, NimDoor triggers a multi-stage infection deploying two distinct Mach-O binaries: a C++ binary responsible for payload decryption and data theft operations, and a Nim-compiled “installer” that establishes persistence ...
1 month ago Cybersecuritynews.com
ANY.RUN Now Let SOC/DFIR Team Analse Android APK Malware With Sandbox - ANY.RUN, the interactive malware analysis platform has announced full support for Android OS in its cloud-based sandbox environment, enabling security teams to investigate Android malware with unprecedented accuracy and efficiency. With this new ...
5 months ago Cybersecuritynews.com Hunters
Getting Started With Passkeys, One Service at a Time - In addition to the major three technology firms supporting passkeys - Apple, Google and Microsoft - third-party password providers, such as 1Password and Bitwarden, implemented their own support for managing the credentials. Overall, more than 7 ...
1 year ago Darkreading.com
PoC Exploit Released for macOS CVE-2025-31258 Vulnerability Bypassing Sandbox Security - The sandbox is a critical security mechanism in macOS that restricts what actions applications can perform and what system resources they can access, creating an isolated environment that helps protect the system from malicious software. ...
3 months ago Cybersecuritynews.com CVE-2025-31258
Google fixes actively exploited sandbox escape zero day in Chrome - The security issue is described as an insufficient validation of untrusted input in ANGLE and GPU that affects Google Chrome versions before 138.0.7204.157. An attacker successfully exploiting it could perform a sandbox escape by using a specially ...
1 month ago Bleepingcomputer.com CVE-2025-7656
5 Common Phishing Vectors and Examples - Phishing attacks can be executed through various means, such as SMS and phone calls, but the most prevalent method involves sending victims emails containing malicious attachments. Let's take a closer look at these types and examine examples of ...
1 year ago Cybersecuritynews.com CVE-2017-11882 Equation
CVE-2015-7045 - Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 improperly interacts with Keychain Agent, which allows attackers to spoof the Keychain Server via unspecified vectors. ...
6 years ago
CVE-2017-7840 - JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in ...
7 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)