Google Security Research Team, Project Zero, today discovered and reported a high-risk vulnerability in macOS’s file kernel system. This vulnerability allows a malicious person to modify a file system image installed by a user. This modification will not be noticed by the user due to the management of the virtual subsystem.
The vulnerability exploits XNU’s copy-on-write (COW) behavior to write data between processes. This copy-on-write behavior applies not only to anonymous memory but also to file mirroring. Project Zero explained that this means that after the target process has read into the memory area, the memory can be reloaded in the backing file system even if the cache is released.
Project Zero discovered the vulnerability in November 2018 and informed Apple of its existence and subsequently published it under an automated 90-day disclosure policy. Team researcher Ben Hawkes pointed out that they are currently jointly evaluating options for patches, and Apple intends to address this issue in a future release.
This is not the first time Project Zero has pointed out a vulnerability in Apple software. In February of this year, it was reported that Apple patched two vulnerabilities discovered by the team on iOS. These two vulnerabilities have been used to crack iOS devices. Apple is currently developing a corresponding security update, but since Google has disclosed the vulnerability details in advance, macOS users need to pay special attention to the security of accessing websites and downloading files.