Google’s Project Zero team has discovered a “high severity” flaw in the macOS kernel.
The issue, which potentially allows attackers to perform malicious actions on a mounted filesystem, was reported to Apple more than 90 days ago. No fix has been made available yet, but Apple has acknowledged the issue and is working with Project Zero on a patch.
Apple’s desktop software has gotten significantly more reliable since the release of macOS Mojave last fall, but major flaws continue to slip through the cracks. The latest, which is present in the macOS kernel, could cause major problems for Mac users with mounted filesystems.
Google weeds out another macOS vulnerability
The problem appears to be in Apple’s implementation of copy-on-write (COW) behavior. It allows modifications to be made to a mounted filesystem without notifying the virtual management system, which could have serious implications.
In a nutshell, the flaw gives attackers the ability to perform malicious actions on a mounted filesystem without ever alerting the user. Here are the technical details from the Project Zero team:
XNU has various interfaces that permit creating copy-on-write copies of data
between processes, including out-of-line message descriptors in mach messages.
It is important that the copied memory is protected against later modifications
by the source process; otherwise, the source process might be able to exploit
double-reads in the destination process.
This copy-on-write behavior works not only with anonymous memory, but also with
file mappings. This means that, after the destination process has started
reading from the transferred memory area, memory pressure can cause the pages
holding the transferred memory to be evicted from the page cache. Later, when
the evicted pages are needed again, they can be reloaded from the backing
This means that if an attacker can mutate an on-disk file without informing the
virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Project Zero also provides a proof-of-concept that demonstrates the problem.
Apple working on a fix
Apple was notified of this problem last November, and although it is yet to issue a fix, it has at least acknowledged the flaw. It is now working with Project Zero on a patch that will be available in a future macOS update.
The details of this flaw surfaced just days after security researcher Linuz Henze confirmed he has also provided Apple with details of another macOS vulnerability, which allows Keychain usernames and passwords to be stolen without administrator access.
Henze has also provided Apple with a patch, but the fix is yet to make its way to macOS users.