Google's Project Zero security division has published details of a security vulnerability in the copy-on-write (COW) functionality of Apple's macOS operating system, despite confirming that the company has not yet released a fix.
Set up to discover serious security vulnerabilities in both Google's own software products and those of third parties, Project Zero has come under fire for its disclosure practices in the past: While the group alerts vendors privately before making the disclosure public, it does not typically wait for a fix to have been released. Most bugs are disclosed within 90 days of discovery regardless of whether or not a fix is available; in one instance Microsoft was given just one week's notice before a flaw in the Windows operating system was publicly disclosed - after having given rival Apple a full five months to resolve a similar security issue.
Project Zero's latest major disclosure, though, gave Apple no such notice: A vulnerability in the copy-on-write (COW) functionality of the XNU kernel which underpins the macOS operating system has been publicly disclosed despite a patch not yet being available, after a 90-day deadline passed.
'XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process,' Google's notification explains. 'This copy-on-write behaviour works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
'This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.'
While Apple has privately confirmed the existence of the flaw to Google, an update in the bug tracker confirms that 'no fix is available [but] Apple are intending to resolve this issue a future release.' Despite that, the bug report has been automatically published following the expiry of a default 90-day deadline after the private disclosure was made.
Apple has not commented publicly on the flaw, nor provided a timescale for a patch.
March 25 2020 | 14:00