When it comes to cybersecurity, Apple’s devices have been praised for being among the best in the market; if not the best. However, an elite cybersecurity task force set up by Google – Project Zero – has discovered a flaw in the macOS desktop operating system they are terming “high-severity” vulnerability.
According to Project Zero, the zero-day vulnerability leaves such a gaping hole that an attacker could exploit the system without the victim ever noticing a thing. The said vulnerability stems from copy-on-write, a macOS process enabled by Apple’s XNU kernel, which works with anonymous memory and file mapping.
The memory being copied on a Mac computer is not sufficiently protected against modification thus the copy-on-write process can be easily exploited by attackers to copy malicious codes.
According to a blog post by the security researchers working for Project Zero, “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.”
Project Zero gave Apple 90-days period but nothing was done
The name Project Zero might be familiar to you, it is the same cybersecurity agency that first discovered the Meltdown security attack in 2018. The agency has also been on the frontline in discovering a number of zero-day vulnerabilities across other platforms including Windows.
Upon discovering this vulnerability with macOS, they approached Apple and informed them of it. In keeping with their tradition, they normally give 90-days window for the publisher of software to release a fix for the vulnerabilities they unearth.
Since Apple was approached by the agency, the Cupertino company has not released any fix for the vulnerability. Now Google has outed (made public) the fix as it normally does after the lapse of the 90-days window; whether or not the publisher has issued the fix.
“We’ve been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.”
It has not been established how many victims have fallen into the gaping security hole on macOS so far. However, with Google having made public of the issue before Apple released a fix. There is no doubt many would-be hackers around the world will jump on this matter, and try to figure out ways to capitalize on the vulnerability before Apple releases a fix.