'High severity' kernel security flaw found in macOS file system
Google's Project Zero has revealed a "high severity" flaw in the macOS kernel, one which could allow an attacker to make changes to a file without macOS being informed, an issue that could lead to infected files being opened and allowing more malicious activities to become available to abuse.
Project Zero, Google's team of security researchers who find and report flaws in commercial software, revealed the issue with XNU on the Chromium website. The flaw is described as being able to take advantage of XNU's copy-on-write (COW) behavior that allows writing of data between processes, but while it is supposed to be protected from later modifications, the way it is implemented in macOS is apparently less secure than hoped.
If a user-owned mounted filesystem image is modified, reports NeoWin, the virtual management subsystem is not advised of any changes. This ability to change the on-disk file without the subsystem being aware is considered a security risk by Project Zero.
"This copy-on-write behavior works not only with anonymous memory, but also with file mappings," Project Zero explains in its posting. "This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."
"MacOS permits normal users to mount filesystem images," the post continues. "When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem,"
According to Project Zero's procedures, it discovered the flaw and advised Apple of its existence in November 2018, at the same time as issuing a 90-day deadline to fix the flaw before it is published, to encourage the development of a fix. Proof-of-concept code for the flaw and an explanation has since been posted by the team.
An update on February 28 advises the team has been in contact with Apple about the issue, but no fix for the problem has been released. "Apple are intending to resolve the issue in a future release, and we're working together to assess the options for a patch," team researcher Ben Hawkes notes.
This is not the first time Project Zero has taken aim at Apple's software. In February, it was revealed Apple had patched two flaws in iOS found by the team that were used to hack iPhones and iPads in the wild, while in 2015, three zero-day exploits in Mac OS X were disclosed.
The Project Zero team itself is made up of a number of prominent security researchers. The list includes Jann Horn, a researcher who was central to the discovery of the "Meltdown" and "Spectre" vulnerabilities that afflicted Intel- and ARM-based processors.
Project Zero, Google's team of security researchers who find and report flaws in commercial software, revealed the issue with XNU on the Chromium website. The flaw is described as being able to take advantage of XNU's copy-on-write (COW) behavior that allows writing of data between processes, but while it is supposed to be protected from later modifications, the way it is implemented in macOS is apparently less secure than hoped.
If a user-owned mounted filesystem image is modified, reports NeoWin, the virtual management subsystem is not advised of any changes. This ability to change the on-disk file without the subsystem being aware is considered a security risk by Project Zero.
"This copy-on-write behavior works not only with anonymous memory, but also with file mappings," Project Zero explains in its posting. "This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem."
"MacOS permits normal users to mount filesystem images," the post continues. "When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem,"
According to Project Zero's procedures, it discovered the flaw and advised Apple of its existence in November 2018, at the same time as issuing a 90-day deadline to fix the flaw before it is published, to encourage the development of a fix. Proof-of-concept code for the flaw and an explanation has since been posted by the team.
An update on February 28 advises the team has been in contact with Apple about the issue, but no fix for the problem has been released. "Apple are intending to resolve the issue in a future release, and we're working together to assess the options for a patch," team researcher Ben Hawkes notes.
This is not the first time Project Zero has taken aim at Apple's software. In February, it was revealed Apple had patched two flaws in iOS found by the team that were used to hack iPhones and iPads in the wild, while in 2015, three zero-day exploits in Mac OS X were disclosed.
The Project Zero team itself is made up of a number of prominent security researchers. The list includes Jann Horn, a researcher who was central to the discovery of the "Meltdown" and "Spectre" vulnerabilities that afflicted Intel- and ARM-based processors.
Comments
So you think it's good journalism to use a term for the first time ever without bothering to define or explain it?
Edit: my mistake. It was mentioned in one article in 2017 and then another 5 years before that.
The more security researchers kicking the tires, the more secure the software is.
It’s nice to see Google’s “Don’t be evil” stance isn’t entirely gone.
+1 Google
-1 Apple (who still doesn’t have MacOS bug-bounty program)
Apple just has to slip once on a clean floor while MS/Goog are swimming in a swamp.
See?
There have been security holes in macOS for years (since its inception) and there always will be. Apple doesn't release Security Updates regularly for the hell of it...
Ive owned apple products since the Performa 636. You’re ignorant
I agree with that. I don’t agree with Apples branding themselves as Apple = security. Because it’s more like Apple (mostly)= security
now go take a deep breath, sorry I hurt your feelings so easily
You after all who conflated this and Apples overall stance on security. The two are not synonymous here, despite your apparent desire to make it so.