Google Dropped New Zero-day for MacOS Kernel
MacOS zeroday published by Google's Project Zero Team.
Though macOS' kernel, XNU, allows copy-on-write (CoW) behaviour in some cases, it is essential that any copied memory is not available for modifications from the source process. While COW is a resource-management technique that is not inherently flawed, it appears that Apple's implementation of it certainly is.
A researcher from Project Zero has found out that if a user-owned mounted filesystem image is modified, the virtual management subsystem is not informed of the changes, which means that an attacker can potentially take malicious actions without the mounted filesystem knowing about it.
On the advisory, the researcher wrote -
This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem- he added.
Project Zero Team had reported the flaw to Apple security team in November 2018, where Apple team had accepted the bug also, but Apple failed to fix the bug after exceeding the 90-day deadline, which makes the bug public.
As we all know that Google Project Team finds security flaws on various products of vendors like Adobe, Apple, Microsoft etc.. and give them 90 days to resolve the problem before publicly disclosing it.
Apple team is working with the Project Zero team to patch the issue and may users get the fix on future OS updates. All the technical detail with the exploit code can be found on this thread.