Google’s Project Zero has discovered a “high severity,” zero-day security flaw in macOS. But its disclosure policies may be problematic for Mac users. That’s because the vulnerability, which Project Zero disclosed on Monday, is currently unpatched. That means, theoretically, an attacker could exploit the security flaw in the wild. Here’s what you need to know.
What’s the Flaw?
The macOS flaw, essentially, could allow attackers to carry out malicious activities on a mounted filesystem. Worse still, it could perform these attacks without the system or user even knowing, according to a report in Chromium that also included a proof-of-concept attack.
More specifically, the vulnerability is a flaw in the copy-on-write (COW) process in Apple’s XNU kernel. XNU is the main operating kernel in macOS, while COW is a method of managing system resources.
COW allows a system to create copies of data between processes for memory and file mapping. But, as Project Zero notes, “it is important that the copied memory is protected against later modifications by the source process.” Otherwise, it’s vulnerable to exploit.
Project Zero security researchers discovered that they were able to modify a user’s mounted file system without COW informing the system of the change.
“This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug,” Project Zero disclosed.
In other words, an attacker could tamper with an on-disk file without alerting the subsystem. That means a user would also be unaware of the attack until it’s too late. Technically, the exploit could be used in targeted attacks or as part of a wider campaign.
Project Zero Policies
The macOS kernel flaw is a “zero-day” vulnerability and Project Zero has dubbed a “high severity” threat. That’s because the exploit is now public knowledge, but there’s no patch available.
It all comes down to Project Zero’s disclosure policies. The security team automatically discloses vulnerabilities 90 days after they are discovered, whether or not they are patched.
Google first alerted Apple to the macOS flaw back in November 2018, meaning that the 90-day window has elapsed.
When Is a Fix Coming?
Google, for its part, said that it has been in contact with Apple regarding the issue. Apple is reportedly intending to resolve it in a future release, and both teams are working together to “assess the options for a patch.” But no exact timeline exists currently.
Based on Apple’s current software development schedule, it’s possible that a fix could be included in macOS 10.14.4. But until Apple updates its security content page, we won’t know for sure.
In the meantime, because the flaw is unpatched and it can be exploited without tripping any safeguards, macOS users should be wary of the websites that they visit and the files that they download.