OS X Coreaudiod Calls Uninitialized Function Pointer
Posted by deepcore on January 28, 2016 – 2:34 am
com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn’t, allowing this bug to potentially form part of a full sandbox escape chain.
Post a reply
You must be logged in to post a comment.