The Project Zero research group at Google has revealed a severe vulnerability in macOS involving mounted disk images that can be used to compromise target devices.
The vulnerability was revealed following Project Zero's disclosure policy, which gives companies 90 days to patch a problem before it's made public. Apple has yet to fix this issue, and because it's now common knowledge, that means macOS users are at risk.
Project Zero said that macOS automatically creates "copy-on-write copies of data between processes" while it manages memory. That means attackers can modify any mounted disk images without their targets being any the wiser. The researchers explained:
"This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem. (...) This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug."
Apple's faced mounting criticism over its security practices recently. A major FaceTime flaw that let people remotely activate microphones was revealed in January. It was quickly fixed, but Apple's handling of the issue was ill-received.
Then an exploit called KeySteal was revealed, and the researcher said he wouldn't share information with Apple because it didn't have a macOS bug bounty program. He eventually changed his mind--but that inspired even more criticism of Apple's processes.
Here's the good news: Project Zero said that "Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch. We'll update this issue tracker entry once we have more details."
