Google Project Zero team today found a high-severity bug in Apple MacOS according to which an attacker can exploit a user’s system without his knowledge. This bug is applicable to all Macbook notebooks and regrettably, there is no solution until Apple officially releases an update to permanently patch the problem.
Marked as high-severity, security experts from Google’s Project Zero team had shared the details of vulnerability on Monorail. The bug roots from copy-on-write process permissible by XNU Kernel that works with anonymous memory and file mapping. As per the report, the memory copied on the Mac operating system is not having proper protection against unauthorized modification. This process can be exploited.
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Apple has said nothing on the bug yet, security experts from the Project Zero team in contact with the company regarding the problem. From Apple ends, the bug will be resolved through patches in a future update release, there is no prompt action on this.
We’ve been in contact with Apple regarding this issue, and at this point no fix is available. Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.
Till the time Mac users will have to wait, keep checking for the latest updates. Apple look is informed on the problem and might soon release a patch to block the vulnerability.
Source: Bugs.Chromium.Org