Researchers have discovered a vulnerability in macOS that has been given a severe rating. The vulnerability lies in the macOS kernel and allows a malicious actor the ability to abuse the way filesystem images are mounted to make data changes. The way the “copy-on-write” feature is in macOS gives attackers the chance to make changes to a mounted file system image without the actual operating system being aware. This zero-day allows the creation of copies of data between processes. This copy-on-write behavior works with anonymous memory as well as file mappings, meaning that “after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.” This flaw could allow a single attacker to mess with an on-disk file without the virtual management subsystem being aware. It is possible to mutate filesystem images by calling pwrite() on the filesystem image and not have copy-on-write inform the subsystem. This flaw was discovered in November, and the researchers gave Apple 90 days to release a fix for the issue. Since it has been 90 days, they have taken this flaw public.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is