'High severity' kernel security flaw found in macOS file system

Posted:
in macOS edited March 4
Google's Project Zero has revealed a "high severity" flaw in the macOS kernel, one which could allow an attacker to make changes to a file without macOS being informed, an issue that could lead to infected files being opened and allowing more malicious activities to become available to abuse.




Project Zero, Google's team of security researchers who find and report flaws in commercial software, revealed the issue with XNU on the Chromium website. The flaw is described as being able to take advantage of XNU's copy-on-write (COW) behavior that allows writing of data between processes, but while it is supposed to be protected from later modifications, the way it is implemented in macOS is apparently less secure than hoped.

If a user-owned mounted filesystem image is modified, reports NeoWin, the virtual management subsystem is not advised of any changes. This ability to change the on-disk file without the subsystem being aware is considered a security risk by Project Zero.

"This copy-on-write behavior works not only with anonymous memory, but also with file mappings," Project Zero explains in its posting. "This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."

"MacOS permits normal users to mount filesystem images," the post continues. "When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem,"

According to Project Zero's procedures, it discovered the flaw and advised Apple of its existence in November 2018, at the same time as issuing a 90-day deadline to fix the flaw before it is published, to encourage the development of a fix. Proof-of-concept code for the flaw and an explanation has since been posted by the team.

An update on February 28 advises the team has been in contact with Apple about the issue, but no fix for the problem has been released. "Apple are intending to resolve the issue in a future release, and we're working together to assess the options for a patch," team researcher Ben Hawkes notes.

This is not the first time Project Zero has taken aim at Apple's software. In February, it was revealed Apple had patched two flaws in iOS found by the team that were used to hack iPhones and iPads in the wild, while in 2015, three zero-day exploits in Mac OS X were disclosed.

The Project Zero team itself is made up of a number of prominent security researchers. The list includes Jann Horn, a researcher who was central to the discovery of the "Meltdown" and "Spectre" vulnerabilities that afflicted Intel- and ARM-based processors.
«1

Comments

  • Reply 1 of 21
    And what is XNU?
  • Reply 2 of 21
    crowleycrowley Posts: 6,018member
  • Reply 3 of 21
    tyler82tyler82 Posts: 883member
    So much for that Apple = security thing. 
  • Reply 4 of 21
    crowley said:
    How clever.

    So you think it's good journalism to use a term for the first time ever without bothering to define or explain it?

    Edit: my mistake.  It was mentioned in one article in 2017 and then another 5 years before that.
    edited March 4
  • Reply 5 of 21
    seanismorrisseanismorris Posts: 1,084member
    Thanks Project Zero!

    The more security researchers kicking the tires, the more secure the software is.

    It’s nice to see Google’s “Don’t be evil” stance isn’t entirely gone.

    +1 Google
    -1 Apple (who still doesn’t have MacOS bug-bounty program)
    electrosoftracerhomie3muthuk_vanalingamchristophbtyler82jony0
  • Reply 6 of 21
    crowleycrowley Posts: 6,018member
    crowley said:
    How clever.

    So you think it's good journalism to use a term for the first time ever without bothering to define or explain it?

    Edit: my mistake.  It was mentioned in one article in 2017 and then another 5 years before that.
    I think if the journalism is regarding macOS kernel flaws, then its a fair assumption that readers know what the macOS kernel is, or are savvy enough to work it out.  Ideally the article would also mention it, but it's no great shake.
    seanismorris
  • Reply 7 of 21
    AppleExposedAppleExposed Posts: 1,503unconfirmed, member
    I can see Apple haters latching onto this for years to come while ignoring the millions of viruses/malware etc. that knockoff iPhones(99.9% malware) and Windows machines(99% malware) have.

    Apple just has to slip once on a clean floor while MS/Goog are swimming in a swamp.

    tyler82 said:
    So much for that Apple = security thing. 

    See?
    racerhomie3ericthehalfbeebaconstanglongpathHenryDJPlostkiwibakedbananas
  • Reply 8 of 21
    maestro64maestro64 Posts: 4,658member
    So how do you make this happen in the real world? What is a reasonable use case or this attach.
    bakedbananas
  • Reply 9 of 21
    thrangthrang Posts: 774member
    I can't even tell what the risk is from a daily use perspective...
    longpath
  • Reply 10 of 21
    MplsPMplsP Posts: 1,666member
    maestro64 said:
    So how do you make this happen in the real world? What is a reasonable use case or this attach.
    thrang said:
    I can't even tell what the risk is from a daily use perspective...
    my thoughts exactly. They label it as "high severity" but I'm having a hard time getting that from the description.
    longpath
  • Reply 11 of 21
    MacProMacPro Posts: 18,368member
    I am amazed Google have time to check Apple OS given all the problem with their own. Oh, wait ... deflection ...
    HenryDJP
  • Reply 12 of 21
    mojo66mojo66 Posts: 20member
    I can see why this is a bug, but I fail to see the real life security implications because there is no privilege escalation. Can someone (maybe the author Malcolm Owen) enlighten us why this is tagged as 'high severity' flaw?
  • Reply 13 of 21
    normangnormang Posts: 79member
    To me high severity means that an exploit is out in the wild, probably not.. And what would it actually take do do this? Chances are its highly complex and not worth the average hackers time, and for what return? If its just to be annoying, there are far easier ways than this..
  • Reply 14 of 21
    macxpressmacxpress Posts: 4,973member
    tyler82 said:
    So much for that Apple = security thing. 
    Is your purpose here to just shit all over Apple and rub salt in a wound every time something happens? Seriously, that's all you ever do. 

    There have been security holes in macOS for years (since its inception) and there always will be. Apple doesn't release Security Updates regularly for the hell of it...
    bakedbananas
  • Reply 15 of 21
    I can see Apple haters latching onto this for years to come while ignoring the millions of viruses/malware etc. that knockoff iPhones(99.9% malware) and Windows machines(99% malware) have.

    Apple just has to slip once on a clean floor while MS/Goog are swimming in a swamp.

    tyler82 said:
    So much for that Apple = security thing. 

    See?
    Hackers and virus writers are not interested in an OS yhat account for less than 10% of computers and phones. If they were our macs and ios devices will be as bad as windows if not worse. 
    bakedbananas
  • Reply 16 of 21
    tyler82tyler82 Posts: 883member
    I can see Apple haters latching onto this for years to come while ignoring the millions of viruses/malware etc. that knockoff iPhones(99.9% malware) and Windows machines(99% malware) have.

    Apple just has to slip once on a clean floor while MS/Goog are swimming in a swamp.

    tyler82 said:
    So much for that Apple = security thing. 

    See?

    Ive owned apple products since the Performa 636. You’re ignorant 
  • Reply 17 of 21
    tyler82tyler82 Posts: 883member
    macxpress said:
    tyler82 said:
    So much for that Apple = security thing. 
    Is your purpose here to just shit all over Apple and rub salt in a wound every time something happens? Seriously, that's all you ever do. 

    There have been security holes in macOS for years (since its inception) and there always will be. Apple doesn't release Security Updates regularly for the hell of it...

    I agree with that. I don’t agree with Apples branding themselves as Apple = security. Because it’s more like Apple (mostly)= security

    now go take a deep breath, sorry I hurt your feelings so easily 
  • Reply 18 of 21
    tyler82 said:

    I agree with that. I don’t agree with Apples branding themselves as Apple = security. Because it’s more like Apple (mostly)= security

    now go take a deep breath, sorry I hurt your feelings so easily 
    In your over zealous need to pounce you seem to have decided that just because there's a new security flaw that somehow this means Apple are not, as a rule, highly motivated to ensure our devices are secure (more so than their competitors).

    You after all who conflated this and Apples overall stance on security. The two are not synonymous here, despite your apparent desire to make it so.
    bakedbananas
  • Reply 19 of 21
    gatorguygatorguy Posts: 21,105member
    MissNomer said:
    tyler82 said:

    I agree with that. I don’t agree with Apples branding themselves as Apple = security. Because it’s more like Apple (mostly)= security

    now go take a deep breath, sorry I hurt your feelings so easily 
    In your over zealous need to pounce you seem to have decided that just because there's a new security flaw that somehow this means Apple are not, as a rule, highly motivated to ensure our devices are secure (more so than their competitors).

    You after all who conflated this and Apples overall stance on security. The two are not synonymous here, despite your apparent desire to make it so.
    Who would their "less motivated to ensure our devices are secure" competitors be? 
  • Reply 20 of 21
    laoban00 said:
    Hackers and virus writers are not interested in an OS yhat account for less than 10% of computers and phones. If they were our macs and ios devices will be as bad as windows if not worse. 
    Ah yes, security through obscurity. Because if there's one company I think of when I hear "obscure", it's Apple.
    People that have Apple computers have more money. Hackers are in it for the money right? And can you imagine the fame of the person that comes up with a real virus (like the 999 viruses a day found on Windows) for the Mac?
    Really, this has been proven over and over again - Macs are more secure than Windows computers.
    bakedbananas
Sign In or Register to comment.