UPDATED 21:13 EST / MARCH 04 2019

SECURITY

Massive macOS vulnerability exposed by Google security researchers

It’s often claimed that Apple Inc. products are safe from hacking, but even though that has been proven to be false time and time again, a new vulnerability has emerged that suggests threats have graduated from a soldier with a gun to a B-52 dropping a large bomb.

Discovered by Google LLC’s Project Zero security arm in November but only published now, the “high severity” flaw in the macOS kernel allows a hacker to access a computer without the user’s knowledge. The vulnerability allows an attacker to modify a mounted disk image, then get the Mac to run the modified code by exploiting macOS’s memory management system.

As VentureBeat pointed out, the severity so high because “users mount disk images all the time, yet macOS doesn’t re-check the images when it automatically purges and reloads content in the course of managing its limited memory.”

“This copy-on-write behavior works not only with anonymous memory, but also with file mappings,” Google’s security researchers explained. “This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.

Casey Ellis, chief technology officer and founder of Bugcrowd Inc., told SiliconANGLE the disclosure will pressure Apple to issue a fix as quickly as possible. It also will likely put pressure on the company to extend its existing iOS bug bounty program to macOS devices, he said.

This isn’t the first time a lack of bug bounty of macOS has been in the news. An 18-year-old German security researcher exposed a macOS bug in February while claiming that he refused to work with Apple because of a lack of a bug bounty program for the operating system.

“In the meantime, macOS users may be at risk from malicious use of the details that Google’s Project Zero have released,” Ellis said. “The scope of potential ways to exploit this vulnerability is so broad that there isn’t any practical advice I can provide to avoid it while it’s unpatched. Mac OS X users should enable automatic updates on their Apple devices to ensure that a patch is installed as soon as Apple release it, and this advice goes in general for all personal systems.”

Photo: U.S. Department of Defense

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU