Bad news: Google drops macOS zero-day after Apple misses bug deadline. Good news: It's fiddly to exploit

Google has publicly disclosed a zero-day flaw in Apple's macOS after the Cupertino mobe-maker failed to fix the security shortcoming within the ad giant's 90-day deadline.

The vulnerability itself is relatively minor in terms of danger: it allows malware already running on your Mac, or a rogue logged-in user, to potentially escalate their privileges, and fully take over the computer, by secretly altering the contents of files on user-mounted disks without you noticing. Thus, to exploit the weakness, your computer already has to be compromised, which is pretty much game over for most folks.

However, this is Google dropping a proof-of-concept exploit on a tech rival, and it's therefore caught everyone's attention.

No warning

Two of the web goliath's Project Zero researchers, Meltdown-finder Jann Horn and bug-hunter-extraordinaire Ian Beer, revealed late last week how macOS's copy-on-write mechanism can be exploited by miscreants to modify files without triggering any sort of alert or warning from the operating system.

This mechanism can, it appears, be exploited as such: wait for a particular privileged process to open a file on a user-mounted disk by mapping the object to its virtual memory; then alter the underlying file system of the mounted disk to change the mapped file; and then force the memory pages holding the mapped file for the privileged process to be evicted by writing to a separate huge memory-mapped file.

When victim process reads from its mapped file again, it will pull in the altered data from the file system without any notification or warning the file underneath has changed. It thus may be possible to exploit this to crash the app, or confuse it to achieve privilege escalation.

It's a long shot, though one that could be taken by a malicious application, code fetched from a dodgy NPM package or GitHub repo, and so on.

Under pressure

"After the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache," Horn explained.

"Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

"MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem."

More concerning than the vulnerability itself is Apple's response. Horn reported the bug to Sir Jony's shiny thing factory back in November 2018 with a standard 90-day window for patch.

Despite putting out multiple security updates for the macOS between then and now, the above vulnerability was not patched. While the Project Zero team says that Apple is aware of the issue and has been planning to patch it, the deadline has passed, meaning the bug and its proof-of-concept exploit are now publicly disclosed as a zero day. It's not the first time Google has done this, though it's usually Microsoft that misses the deadline.

On the other hand, the bug is so esoteric, it's probably way down Apple's to-do list.

Apple did not respond to a request for comment. Google did not respond, either. ®