Google’s Project Zero publicly discloses zero-day vulnerability in macOS

• It is a critical vulnerability that allows creating copy-on-write copies of data between processes via a user-owned filesystem image.
• Project Zero research team is working along with Apple to resolve the issue.

What is the issue - Google’s Project Zero publicly discloses the zero-day vulnerability in Apple macOS after the 90-day deadline to fix the issue expired.

Why it matters - It is a critical vulnerability marked as ‘High severity’ that allows creating copy-on-write copies of data between processes via a user-owned filesystem image.

In Apple macOS, filesystem images can be mounted by users, and it is possible to mutate these files directly by calling pwrite() on the filesystem image without copy-on-write informing the subsystem.

“This copy-on-write behavior works not only with anonymous memory but also with file mappings. This means that after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing Filesystem,” Project Zero said.

Worth noting - The vulnerability is a local process escalation bug.

Google’s Project Zero is a security team that finds zero-day vulnerabilities and informs the respective vendors. Vendors informed of the vulnerability are given a 90-day time period for addressing the vulnerability and resolving the issue. If the company does not patch the bug within the 90-day deadline, the team publicly discloses the security issue.

Researchers from Project Zero notified Apple about the security flaw in November 2018 but the company has not fixed the issue to date, therefore, the team publicly disclosed the zero-day vulnerability. However, the research team is working along with Apple to resolve the issue.

“We've been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we're working together to assess the options for a patch,” the research team said.