Google discloses macOS security flaw before patch is released

Spread the love

Google’s Project Zero has found a serious flaw in macOS’s XNU kernel and disclosed the details before Apple releases a patch. Google notified Apple about the leak in November last year.

By default, Google Project Zero has a 90-day period after reporting vulnerabilities to a developer, after which the company proceeds to publication. Apple is working on a fix, but when it will appear is unknown.

The vulnerability concerns the copy-on-write, or cow behavior of XNU. “It is important that copied memory is protected from later modifications by the source process,” write the Google Project Zero researchers. Apple’s implementation turned out to be incorrect.

“This means that if an attacker can mutate an on-disk file without informing the virtual management system, it’s a security issue,” Project Zero said. On macOS, this happens when mounting filesystem images: changes to the filesystem are not propagated to the mounted filesystem, which can be abused. The researchers have released a proof-of-concept.

You might also like
Exit mobile version