Security researchers on Google’s Project Zero team disclosed today a “high-severity” vulnerability in Apple’s macOS desktop operating system. The gaping hole in macOS’s defenses could allow an attacker to exploit a system without the victim knowing about it. The zero-day vulnerability stems from copy-on-write, a process allowed by Apple’s XNU kernel that works with anonymous memory and file mapping. According to a post by Google on Monorail, the memory being copied on macOS isn’t properly protected against modifications, therefore, the copy-on-write process can be exploited to copy potentially dangerous code. “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug,” Google researchers wrote. Google informed Apple of the flaw in November 2018 but the Cupertino giant failed to release a patch before the 90-day deadline expired. Security experts described the vulnerability as “high-severity.” “We’ve been in contact with Apple regarding this issue, and at this point no fix is available,” researchers wrote. “Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.” It’s not clear how many, if any, systems have been affected by the flaw. Apart from the standard actions one can take to protect their laptop, MacBook users can only cross their fingers that an update will arrive soon with a fix. If Google’s Project Zero sounds familiar, it’s because this team of researchers was instrumental in discovering the Meltdown security attack at the start of last year. We have reached out to Apple about the copy-on-write vulnerability and will update this post if we hear back.
