[gizzlon]

Good point. Every interpreter - and program that loads anything - will have to be foolproof. There was a case some time ago where an Xbox (or was it ps3?) game did not correctly check the saved games before loading them. IIRC people where able to exploit this and get the game to run code on their behalf.

In theory, all the games and apps have to sign/encrypt/check everything they load. But I can't believe they will all implement this correctly or that Apple will find all the subtle bugs when reviewing.

[roc]

The sandbox lessens the risk of said overflows. Instead of exploiting a flaw in an interpreter or file handling function and getting control of the entire machine, you'd only get control of the sandbox's context.

The only way to parlay that into control of the system would be to break the sandbox. And then, because OS X default security is fairly sane, the only way to do real lasting damage is to use a further exploit to escalate your permissions.

[gizzlon]

True, but that would be true without signed apps as well.

Also, I guess it depends on what the app does and what you mean by "real lasting damage".

[skymt]

That was the first way Wii owners got homebrew software running: the Wii version of Zelda: Twilight Princess didn't do a bounds check when reading the name of the player's horse from a save file.

http://wiibrew.org/wiki/Twilight_Hack#Explanation

[gcb]

the real way we got homebrew in the wii in the first place was because of a awful RSA implementation done by outsourced devs in the USA.

http://events.ccc.de/congress/2008/Fahrplan/events/2799.en.h...

[daeken]

Err, no, that came later. Much later. The original released homebrew was the Twilight Princess hack. There were a few others internal to the group first, but the attack you're referring to didn't happen until a good year, year and a half later.

[gcb]

i wasn't thinking. my bad

[Argorak]

http://en.wikipedia.org/wiki/Softmod#Softmods_for_Microsoft_...

Splinter Cell and MechAssault where famous for this. The bug is actually in the XBox Dashboard code itself, so the Host system was buggy.

[gravitronic]

xbox, ps3, wii, psp, gamecube.. this has been a consistent successful attack vector against signed application environments on consoles.