core-jmp

Screenshot of the pb2au fake DMG-style installer used by the proof of concept

CVE-2026-28910: Breaking the macOS App Sandbox, TCC and Code Signing with Archive Utility

May 24, 2026

by oxfemale MacOS Vulnerability Analysis

Mysk research details CVE-2026-28910 — a chain of three macOS design flaws that turns the built-in Archive Utility plus a single drag-and-drop into a sandbox-escaping, TCC-bypassing, app-hijacking primitive. The pb2au proof of concept compromises Notes, Messages, Mail, Safari, WhatsApp, Telegram, Signal Desktop and 1Password in under 30 seconds with no root, no password, and no special permissions. Patched in macOS 26.4 (March 2026); all earlier macOS Tahoe builds remained exposed for ~5 months.

Exploiting CVE-2024-32002: RCE via git clone

May 21, 2026

by oxfemale MacOS RCE Security

CVE-2024-32002 turns git clone –recursive into RCE on case-insensitive filesystems. A crafted submodule + symlink can plant a Git hook in .git and execute code before review.

The 49-Day macOS Time Bomb: How a TCP Timer Overflow Breaks the Network Stack

April 9, 2026

by oxfemale MacOS Network TCP/IP XNU Kernel

A bug in macOS’s TCP stack causes networking to fail after about 49.7 days of uptime. A 32-bit timer overflow freezes the TCP clock, preventing cleanup of closed connections and eventually exhausting ephemeral ports.

Recovery Mode Breakdown: Turning macOS Recovery Safari into Root Persistence

April 7, 2026

by oxfemale MacOS Privilege Escalation Recovery mode Security

A macOS Recovery Mode Safari flaw allowed attackers to write arbitrary files to system partitions. By placing a malicious LaunchDaemon in /Library/LaunchDaemons, an attacker could achieve persistent root execution after reboot.

Booting into Trust: Reverse Engineering macOS Secure Boot Internals

March 20, 2026

by oxfemale Apple Silicon Boot ROM firmware Hardware kernel-mode MacOS Reverse Engineering Secure Boot XNU Kernel

The article analyzes the macOS secure boot chain on Apple Silicon, showing how Boot ROM, cryptographic verification, Secure Enclave, and staged bootloaders create a hardware-anchored chain-of-trust that protects the OS from power-on to kernel startup.

EDR Internals for macOS and Linux

March 16, 2026

by oxfemale EDR Linux MacOS

The article examines how EDR agents monitor macOS and Linux systems by collecting telemetry from OS security frameworks, kernel interfaces, and tools like eBPF. Understanding these data sources reveals detection capabilities and potential blind spots.

core-jmp

Posts in category: MacOS

CVE-2026-28910: Breaking the macOS App Sandbox, TCC and Code Signing with Archive Utility

Exploiting CVE-2024-32002: RCE via git clone

The 49-Day macOS Time Bomb: How a TCP Timer Overflow Breaks the Network Stack

Recovery Mode Breakdown: Turning macOS Recovery Safari into Root Persistence

Booting into Trust: Reverse Engineering macOS Secure Boot Internals

EDR Internals for macOS and Linux

Recent Posts

Archives

Categories