While Apple has plenty of individuals working on finding flaws and other issues in its software, oftentimes it’s a third-party entity that discovers them.
We saw how that can happen even as an accident when a teenager discovered the Group FaceTime eavesdropping bug earlier this year. But, in a more professional capacity, there are dedicated teams out there looking for major security flaws in software and hardware. Like, for instance, Google’s own Project Zero team. According to a report from Neowin, that particular team discovered a “high severity” flaw in the macOS kernel in November of last year.
Now, that security flaw has been disclosed following the 90-day rule that is in place. The flaw, as described by the team who discovered it, allows for a hacker to alter any file system image without the computer’s owner being aware of any changes.
“This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.”
Google’s Project Zero has been in touch with Apple. Unfortunately, at the time of publication it appears the issue has not been fixed by Apple. However, the company is planning on patching the issue in a subsequent software update. When that will arrive, however, remains to be seen.