The Google Project Zero team is still hard at work examining security flaws and forwarding them on to the affected companies for fixing. From time to time, these warnings go unheard until the flaw is made public. Apple has found itself in that exact situation this week, with a macOS flaw being brought to light.
The Project Zero team will find flaws and contact the company affected in order to get it fixed. Companies are then given a 90 day window to roll out a patch, or the issue goes public. The idea is to get companies acting on security concerns faster, before they become common knowledge and easily exploitable.
Late last year, the Project Zero team found an issue with macOS's implementation of copy-on-write behaviour. The issue can allow someone to bypass the virtual management subsystem by using a modified filesystem image. Here is how Google explains it:
“XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.”
“This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing
filesystem. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.”
That bug has now been made public, complete with a proof-of-concept on how it could be exploited. Now that it has been made public, Apple is apparently working on a fix for a future macOS update.
KitGuru Says: These issues are normally fixed relatively quickly after being made public. Apple has had enough public pressure this year after the FaceTime Group bug, so this will likely jump to the top of the priority list.