MacOS security flaw identified by Google's Project Zero rated 'high severity'

Google goes public after Apple fails to fix 'Dirty Mac' copy-on-write security flaw within 90 days

Google's Project Zero has gone public on a security flaw in Apple's MacOS operating system that has been rated as ‘high severity'.

Project Zero claims that Apple has failed to fix a flaw in the MacOS implementation of copy-on-write, which could be exploited by attackers - especially now that the flaw has been publicised.

Copy-on-write is a resource management technique mainly used in the virtual memory of operating system processes. However, on MacOs, if a user-owned mounted file system image is modified, copy-on-write fails to inform the virtual management subsystem of the change. Knowledge of this flaw could therefore potentially be used as the launch pad for attacks on MacOS.

The flaw is reminiscent of the ‘Dirty COW' privilege escalation bug in Linux uncovered in 2016.

It wasn't long after publication of the Dirty COW bug that exploits appeared. These included the ability to obtain root permissions in Android devices, and the ability to modify system files in Linux, including server implementations. Linux creator Linus Torvalds rushed out patches as soon as the flaw was publicised.

"This copy-on-write behaviour works not only with anonymous memory, but also with file mappings," Project Zero warns.

"This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.

"This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem."

Following public disclosure of the bug, Apple has finally swung into action, promising a fix. "Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch," a comment on the bug reads. "We'll update this issue tracker entry once we have more details."