Google Publishes macOS Zero-Day Exploit

1 minute read
| News

Google publicly disclosed a zero-day flaw in macOS after Apple failed to fix it within its 90-day deadline. The vulnerability alters the contents of user-mounted discs without the device’s legitimate owner knowing. It allows malware already running on a Mac or a rogue user to escalate privileges.

Cyber Security

It is significant that Google has published a proof-of-concept exploit against one of its major rivals. However, the vulnerability itself is not so easy to execute. A user’s computer already had to be compromised for it to work. The exploit was found by two well-known researchers, Jann Horn and Ian Beer (via The Register).

Exploiting Copy-on-Write Mechanism

They found that the macOS copy-on-write mechanism can be exploited to allow an attacker to modify a file without an alert being generated by the operating system. The researchers explained:

After the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the 90-day pages are needed again, they can be reloaded from the backing filesystem. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

An attacker could wait for a user with high-level privileges to open a file on a user-mounted disk. They would do this by mapping the object to its virtual memory. They could then change both the underlying file system of that mounted disk and the mapped file itself. After that, memory pages holding that mapped file for the privileged process could be evicted by force by the attacker. They would do this by writing to a different file that had had its memory mapped.

When that mapped file is next read from, it will access the data from the file system that had been altered by the attacker. The legitimate would receive no alert from macOS that the file underneath had been changed. An attacker could uses this exploit to escalate their privileges or crash an app.

1
Leave a Reply

Please Login to comment
1 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Lee Dronick Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Lee Dronick
Member
Lee Dronick

It allows malware already running on a Mac

And how would the malware get on the Mac? Practice safe computing folks and venture warily outside of the walled garden.