Google Project Zero reveals 'high severity' macOS vulnerability that Apple has failed to patch

Google's Project Zero has gone public about a "high severity" flaw in the macOS kernel after Apple failed to patch it 90 days after being told about the problem.

A security researcher discovered a problem in XNU that means it is possible to perform malicious activities. The security bug related to copy-on-write (COW) behavior, enabling an attacker to manipulate filesystem images without the operating system being notified. Apple was informed of the vulnerability back in November, but has failed to release a patch.

Writing about the vulnerability on the Chromium bug tracker -- highlighted by Neowin -- the security researcher explains: "XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process".

The researcher goes on to say:

This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.

A proof-of-concept has been created to show the vulnerability in action.

Until now, details of the security flaw have been kept secret, but with Project Zero's 90-day disclosure deadline having expired, the detailed post has been automatically derestricted.

Another researcher involved in the project says:

We've been in contact with Apple regarding this issue, and at this point no fix is available. Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch. We'll update this issue tracker entry once we have more details.

Image credit: Lantern Works / Shutterstock