A security researcher from Google’s Project Zero has identified a “high severity” security flaw in macOS kernel XNU, that allows copy-on-write (COW) behaviour in some cases (via Neowin). The researcher had reportedly informed Apple in November last year but the company is yet to fix it, even after the 90-day deadline.
For those who aren’t familiar, members of Google’s Project Zero team are known for discovering security flaws in the company’s own products as well as those manufactured by other firms. They report these flaws privately to the manufacturers and give them 90 days to resolve the problem before disclosing it to the public.
According to the researcher, if a user-owned mounted filesystem image is modified on macOS, “the virtual management subsystem is not informed of the changes” allowing an attacker to potentially take malicious actions without the mounted filesystem knowing about it:
“This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.”
Apple is now said to have accepted the problem and is working with Project Zero on a patch for a future macOS release.