The use of Apple events is possible within the several default profiles as no-network, no-internet (kSBXProfileNoNetwork) and others. Some developer tools restrict Apple events by default while defining the sandbox. A compromised application hypothetically restricted by the use of the no-Network profile may have access to network resources. The vulnerability was discovered and researched by Anibal Sacco and Matias Eissler from Core Security Technologies. Vulnerable packages include Mac OS X 10.7.x, 10.6.x and 10.4.x.”]
Source: https://www.coresecurity.com/core-labs/advisories/apple-osx-sandbox-bypass