Google publicly disclosed a zero-day flaw in macOS after Apple failed to fix it within its 90-day deadline. The vulnerability alters the contents of user-mounted discs without the device’s legitimate owner knowing. It allows malware already running on a Mac or a rogue user to escalate privileges.
It is significant that Google has published a proof-of-concept exploit against one of its major rivals. However, the vulnerability itself is not so easy to execute. A user’s computer already had to be compromised for it to work. The exploit was found by two well-known researchers, Jann Horn and Ian Beer (via The Register).
Exploiting Copy-on-Write Mechanism
They found that the macOS copy-on-write mechanism can be exploited to allow an attacker to modify a file without an alert being generated by the operating system. The researchers explained:
After the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the 90-day pages are needed again, they can be reloaded from the backing filesystem. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.
An attacker could wait for a user with high-level privileges to open a file on a user-mounted disk. They would do this by mapping the object to its virtual memory. They could then change both the underlying file system of that mounted disk and the mapped file itself. After that, memory pages holding that mapped file for the privileged process could be evicted by force by the attacker. They would do this by writing to a different file that had had its memory mapped.
When that mapped file is next read from, it will access the data from the file system that had been altered by the attacker. The legitimate would receive no alert from macOS that the file underneath had been changed. An attacker could uses this exploit to escalate their privileges or crash an app.