Google’s security team discovered a high-risk vulnerability in macOS file system

Project Zero, Google’s security team, discovered and reported that there is high-risk vulnerability in macOS file system, which allowing malicious attackers to modify the file system image installed by the user. The modification is hardly noticed due to the management of virtual subsystem.

The vulnerability will use XNU COW to write date in processes. This COW applies to not only anonymous memory, but also file image. Project Zero stated that even if it’s under cache release,  the memory can reload the targeted process in the backup file system as long as it enters the memory read.

Project Zero discovered this vulnerability in November 2018 and notify Apple, then published it in accordance with the automatic disclosure policy after 90 days. Ben Hawkes, researcher of the team, pointed out that they are jointly assessing options for the patch. And Apple is planning to solve this issue in future updates.

This is not the first time that Project Zero reported Apple’s vulnerabilities. In February this year, it’s said that Apple fixed 2 vulnerabilities on iOS, which were used to crack iOS devices and found by the team.

Apple is currently developing corresponding security update. But since Google has reviewed details of the vulnerability in advance, macOS users shall pay more attention to the security when visiting websites and downloading files.