Google’s Project Zero has reported and publicly disclosed a “high severity” flaw in the macOS kernel which can grant an attacker access to a users computer without their knowledge. Security researchers discovered that if a modification is made to a user-owned mounted filesystem image, the virtual management system isn’t notified of those changes. This lets attacker access to perform malicious actions on that mounted filesystem without the end user ever knowing about it.
Google said to have disclosed the flaw to Apple back in November 2018. However, since 90 days have since passed and the company has yet to issue a patch, the flaw has been publicly disclosed. Google has labeled the issue as “high severity,” meaning its impact could be fairly large.
Apple has since acknowledged the issue and has started working with Google’s Project Zero on a fix. Apple intends to patch the issue in a future macOS release, but no timeline is available on that just yet.
A detailed explanation of the bug:
This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.