Google Project Zero Exposes Severe macOS XNU Kernel Flaw After Apple Inaction

Apple MacBook
Through its Project Zero team, Google has appointed itself a vanguard of software security and accountability. As such, every so often Project Zero publicizes a security flaw that has gone unpatched for at least 90 days, sometimes at the contentious objection of the company it affects. This time it is Apple and its macOS software that is in Project Zero's spotlight.

The security team has discovered what it deems to be a high severity bug in the operating system's kernel, XNU, which allows copy-on-write (COW) behavior in ways that it perhaps should not.

"This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem," Project Zero explains.

The way it operates, an attacker could conceivably mutate an on-disk file without informing the virtual management subsystem, and is therefore a security bug, the team says. To prove it, one of the the team's researchers wrote a proof-of-concept exploit that demonstrates the problem with this approach.

Project Zero notified Apple of its discovery back in November of last year. Since there is still no fix, the team went public with the flaw. That said, Project Zero says Apple intends to fix the issue in a future release, and is working with the company on "options for a patch."
Show comments blog comments powered by Disqus