GETTING A CALL from Google's Project Zero team is about as welcome as an ex getting in touch with directions to the nearest GUM clinic. In fact, it's worse: at least the ex would have the decency not to tell the whole world after 90 days, whether the antibiotics had done the job or not.
If that uncomfortable analogy isn't clear, and you're not familiar with Project Zero, this is how it works. Google's security researchers find a flaw in your software and get in touch with you to fix it. To give an incentive to actually solve the problem, rather than pushing it under the carpet, Google will always reveal the flaw in 90 days whether it has been fixed or not.
Most software is fixed in time, but there have been a few exceptions where companies get particularly grumpy with Google for not giving them an extension.
Apple can now be added to that list after the company failed to fix a flaw in macOS' implementation of copy-on-write (or COW) behaviour, which could be exploited by attackers. In short, if user-owned mounted filesystem image is modified, the virtual management subsystem isn't kept in the loop. That means an attacker could get up to mischief without the filesystem knowing a damned thing.
"This copy-on-write behaviour works not only with anonymous memory, but also with file mappings," the explainer on the Project Zero page states.
"This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
"This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem."
And now that bug has been exposed, and has a proof of concept step-by-step guide to help people use it in the real world, as Apple hasn't yet closed a loophole that was shown to it last November.
"Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch," a comment on the bug reads. "We'll update this issue tracker entry once we have more details."
Sit tight, Mac users. µ
We don't have enough faces or palms
You'll find it in the App Store under 'hipster'
Firm's OLED plant is working at 'less than 50 per cent capacity'