Google’s Project Zero team is well-known for revealing the bugs and security flaws within systems from Google itself, as well as other big companies. Most recently, the team at Google has reported and publicly disclosed a “high severity” flaw in the macOS kernel which can grant an attacker access to a users computer without their knowledge.
Nomad case for Pixel 3
Detailed on the Chromium bug tracker, via Neowin, Google explains the flaw in Apple’s macOS kernel. Apparently, security researchers discovered that if a modification is made to a user-owned mounted filesystem image, the virtual management system isn’t notified of those changes. Thus, an attacker can potentially be granted access to perform malicious actions on that mounted filesystem without the end user ever knowing about it until it’s too late.
Apparently, Google first disclosed this flaw to Apple back in November of 2018. However, since 90 days have since passed and the company has yet to issue a patch, the flaw has been publicly disclosed. Google has labeled the issue as “high severity,” meaning its impact could be fairly large.
Thankfully, Apple has since acknowledged the issue and has started working with Google’s Project Zero on a fix (Apple regularly credits Google for fixes in release notes). Apple intends to patch the issue in a future macOS release, but no timeline is available on that just yet. Google provides a proof-of-concept example on the bug tracker page, as well as the in-depth explanation below.
XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.
This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
More on Google:
- Google Maps expands Lime scooter location tracking to 80 more cities globally
- Google begins notifying winners of I/O 2019 ticket drawing
- Google optimizing wind farms with DeepMind ML to predict power output by 36 hours