There’s a disclosure deadline between the point at which a security flaw is revealed to a company and the revealer’s public disclosure. That’s how it should be, anyway. This gives time to the company to fix the flaw before the flaw becomes public and inevitably exploited by malicious entities. In today’s story, Google Project Zero developers showed Apple a flaw in MacOS, and the standard 90-day disclosure deadline was exceeded.
The bug disclosure deadline is over after 90 days or a patch is made broadly available. One way or the other, the bug must be made public. Better that everyone knows and a fix can be found due to necessity. Bug hunters on the case!
According to a Google representative, Google has indeed been in contact with Apple “regarding the issue” but as of right this minute, “no fix is available.” This same representative said that “Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch.”
So, everyday average readers – watch out for MacOS updates. They are VERY important, pretty much always, but right now more than usual.
For those of you more interested in the issue’s ins and outs, let’s have a peek at what’s going on. This issue begins with a user-owned filesystem image, and MacOS’s allowance of normal users to mount filesystem images as such.
NOTE: The image you see above is a modified version of the painting “Morphling” by artist RK Post. It was originally used (before I modified it for this article) as card art for a Magic: The Gathering card back in Urza’s Saga.
This all begins with XNU. XNU is an OS kernel Apple’s been using since 1996, updating with an Apple Public Source License 2.0 and in use on devices like MacOS, Apple TV software, watchOS, tvOS, iOS, and audioOS.
XNU allows copy-on-write data copying between processes. XNU’s copy-on-write ability works with anonymous memory and file mappings, too. The issue is with “memory pressure” and a method with which changes are made to your computer without your virtual management subsystem knowing.
Basically an attacker could modify code in your computer and you’d never know it, because even your operating system wouldn’t really “know it” enough to tell you about it.
Avoid mounting disk images or downloading and loading files from unknown sources. That second part is just a basic safety rule you should ALWAYS follow – but you do you! If you’d like to follow the flaw’s listing on at the source, head over to Google’s Monorail Project Zero and see what’s up!