Google’s Project Zero Team Discovers A Major macOS Flaw

The team of the Google Project Zero has built quite a reputation for itself. They discover all sorts of bugs and flaws for Google, as well as other important comapnies.

This time, the Project Zero team discovered an Apple issue. More specifically, it appears that the maxOS kernel has a “high severity” flaw which makes it possible for an attacker to access the victim’s computer.

It was discovered that the virtual management system isn’t notified when there a modification made to a user-owned mounted filesystem image.

Google did tell Apple about this issue before making it public. In fact, Apple received the “tip” back in November 2019. 90 days have passed since, so Google decided to come forward with the information. Luckily for macOS users, the issue has been acknowledged now by Apple, although there is no fix for it just yet. Here is the explanation offered by Google:

XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.

This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *