Google’s Project Zero reveals zero-day macOS vulnerability to the public

The copy-on write vulnerability has not been patched.

Google Project Zero accuses Linux of sloppy kernel patching Project Zero accuses Linux distributions of leaving users exposed to known kernel vulnerabilities for weeks.

Google's Project Zero has publicly disclosed a zero-day vulnerability in Apple macOS software after a deadline to resolve the issue expired.

Apple was informed of the previously unknown security issue in November 2018. The security flaw, described as a "high-severity" copy-on-write behavior bypass via the mount of a user-owned filesystem image, was made public last week.

According to a post on Monorail, the resource management copy-on-write system (COW) in Apple's XNU kernel permits the creation of copies of data between processes, which includes out-of-line message descriptors in mach messages.

TechRepublic: Your systems, their profit: How IT rights can be abused for shadow mining of cryptocurrency

The copied memory needs to be protected against future modifications by the source process, otherwise, "the source process might be able to exploit double-reads in the destination process," according to the team.

"This copy-on-write behavior works not only with anonymous memory, but also with file mappings," the vulnerability description reads. "This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."

If an attacker, therefore, is able to tamper with an on-disk file without the virtual management subsystem being alerted, this is a severe security issue which needs to be tackled. 

In Apple macOS, filesystem images can be mounted, and it is possible to mutate these files directly by calling pwrite() on the filesystem image without copy-on-write informing the subsystem.

See also: 19-year-old makes millions from ethical hacking

This zero-day vulnerability, suggested to be a local privilege escalation bug, could be used to exploit target macOS systems, and may also prove useful to threat actors in wider exploit chains.

The researchers provided proof-of-concept (PoC) code to demonstrate the vulnerability.

Project Zero says the bug was subject to the group's standard 90-day disclosure, of which in Apple has failed to patch the problem, leading to the automatic release of the bug's details.  

CNET: NY wants to know why Facebook collects health data from iPhone apps

"We've been in contact with Apple regarding this issue, and at this point no fix is available," the researchers say. "Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch."

Google's Project Zero sticks to a stringent 90-day deadline for vulnerabilities. Vendors informed of a security issue are given this timeframe in which to issue patches and resolve issues before they become public, and while controversial, may pressure organizations to resolve severe problems before they become widely implemented by threat actors. 

ZDNet has reached out to Apple and will update if we hear back. 

Previous and related coverage