macOS exists high-risk vulnerability in the kernel
Google Project Zero has exposed many vulnerabilities on Microsoft’s products in the past few years, and it’s details of the vulnerability disclosed in the absence of Microsoft’s fix. Although Microsoft is very upset and publicly blamed Google for disregarding user security, Google has not changed and continues to disclose the vulnerabilities according to the original plan.
The developer is notified immediately after the discovery of the Google fixed vulnerability and a 90-day repair period is granted. After the expiration, the vulnerability will be automatically disclosed regardless of whether the vulnerability is fixed.
Google researchers have found that the macOS kernel allows copy-on-write in some cases, but any copied memory is not available to modify the source process. Although copy-on-write is itself a flawless resource management technology, there may be problems with Apple when deploying the technology leading to security holes. The researchers said that if the user-owned mounted file system image is modified, the kernel does not notify the virtual management subsystem to process the changes to the data. This means that an attacker might take malicious actions if the mounted file system is unaware, such as implanting a malicious file on the disk system.
This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Google submitted the vulnerability to Apple in November last year and was confirmed by Apple, but Apple still has not fixed the vulnerability three months later.
Apple’s latest response is that there is no way to fix the vulnerability, and it is working with Google researchers to resolve this vulnerability.