Google's Project Zero has revealed a "high severity" flaw in the macOS kernel, one which could allow an attacker to make changes to a file without macOS being informed, an issue that could lead to infected files being opened and allowing more malicious activities to become available to abuse.
Project Zero, Google's team of security researchers who find and report flaws in commercial software, revealed the issue with XNU on the Chromium website. The flaw is described as being able to take advantage of XNU's copy-on-write (COW) behavior that allows writing of data between processes, but while it is supposed to be protected from later modifications, the way it is implemented in macOS is apparently less secure than hoped.
If a user-owned mounted filesystem image is modified, reports NeoWin, the virtual management subsystem is not advised of any changes. This ability to change the on-disk file without the subsystem being aware is considered a security risk by Project Zero.
"This copy-on-write behavior works not only with anonymous memory, but also with file mappings," Project Zero explains in its posting. "This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."
"MacOS permits normal users to mount filesystem images," the post continues. "When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem,"
According to Project Zero's procedures, it discovered the flaw and advised Apple of its existence in November 2018, at the same time as issuing a 90-day deadline to fix the flaw before it is published, to encourage the development of a fix. Proof-of-concept code for the flaw and an explanation has since been posted by the team.
An update on February 28 advises the team has been in contact with Apple about the issue, but no fix for the problem has been released. "Apple are intending to resolve the issue in a future release, and we're working together to assess the options for a patch," team researcher Ben Hawkes notes.
This is not the first time Project Zero has taken aim at Apple's software. In February, it was revealed Apple had patched two flaws in iOS found by the team that were used to hack iPhones and iPads in the wild, while in 2015, three zero-day exploits in Mac OS X were disclosed.
The Project Zero team itself is made up of a number of prominent security researchers. The list includes Jann Horn, a researcher who was central to the discovery of the "Meltdown" and "Spectre" vulnerabilities that afflicted Intel- and ARM-based processors.