Researchers have disclosed what they say is a high-severity security flaw in Apple’s MacOS operating system – which has not yet been patched.
The flaw gives an attacker privileges to perform malicious actions on a mounted filesystem – without the victim knowing. The Google Project Zero team released a proof-of-concept for the attack last week, after they said that Apple failed to fix the flaw by the 90-day disclosure deadline. The vulnerability was first reported Nov. 30 by Google Zero researcher Ian Beer.
“We’ve been in contact with Apple regarding this issue, and at this point no fix is available,” researchers said in the post. “Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.”
The flaw exists in a process called copy-on-write (COW) in Apple’s XNU kernel. XNU is the computer operating system kernel in the macOS operating system; according to Apple’s official Github page, XNU is “a hybrid kernel that combines the Mach kernel developed at Carnegie Mellon University with FreeBSD and C++ components for the drivers.”
COW meanwhile is a tactic for managing resources using in the virtual memory of operating systems; specifically it allows copies of data between processes to be created for anonymous memory and file mappings.
“It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process,” researchers said.
However, the team discovered that they are able to modify a user-owned mounted file system image – and COW does not inform the virtual management system of the change.
That could allow a malicious actor to launch several MacOS attacks without the virtual management subsystem being informed: “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug,” researchers said.
Apple did not immediately respond to a request for comment from Threatpost.
Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free, on-demand Threatpost webinar, available now.
Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout join Threatpost senior editor Tara Seals to discuss the top evolving threats and risks that are unique to this