Google Engineers Disclose “High Severity” Flaw in macOS Kernel

• Google’s Project Zero team has disclosed a serious macOS kernel vulnerability to the public.
• The problem relies on the XNU’s COW system, and the way that information about filesystem changes is managed.
• The flaw is demonstrated by a proof of concept code, so fixing it now is imminent.

Three months after the initial reporting to Apple’s developers, and with the flaw not having been fixed yet, Google’s Project Zero team has disclosed a serious macOS kernel (XNU) vulnerability to the public. According to Google’s security engineers, the flaw is categorized as “high severity”, because it has the potential to affect a large number of users and systems. Apple has finally acknowledged the problem and they are working towards a fix that will hopefully land via a patch soon.

The trouble stems from the way the kernel handles the “copy-on-write” (COW) process, allowing an attacker to mutate an on-disk file without the virtual management subsystem getting updated. What this means in simple words is that if the image on one of the user’s mounted filesystem is modified, either maliciously or not, the virtual management subsystem will never know. Normally, all mutations to a mounted filesystem should be dynamically and constantly propagated to the active image.

The COW system is in place in order to allow copies of data between processes to be seamlessly created in the system memory. However, COW does not inform the virtual management system of all its actions, allowing potential attackers to exploit double-reads in the destination process through the source process. To demonstrate how that could work, Google’s security engineers have developed and also disclosed a proof of concept code that exploits the particular vulnerability. When researchers disclose PoC examples, attackers have something to base their malicious plan upon, and software vendors (Apple in this case) have the pressure on their back to issue a fixing patch as quickly as possible.

The reason why Apple decided to neglect a high severity security flaw for a full three months is unknown, as reports from the ever-prolific Project Zero team are not to be ignored. As we have seen just yesterday, Apple is not handling security reports in a proper and systematic manner, risking their users’ security and data privacy by leaving flaws and vulnerabilities open for a long time. Playing the game of negative publicity has not yielded the desired results for the Cupertino company so far.

Do you believe that Apple should handle security bug reports with greater responsibility, or do you think that they are doing the best they can? Share your opinion in the comments section below, and don’t forget that you have the power to help us spread the word, by sharing this post through our Facebook and Twitter portals.