Google's Project Zero team has revealed a “high severity” macOS kernel flaw that allows an attacker to modify a user-owned mounted filesystem without the knowledge of macOS memory manager. Even after getting information about the flaw on November 30, 2018, Apple is yet to release a patch for the same, leaving macOS users vulnerable to possible exploitation. Project Zero team has a strict automatic 90-days disclosure policy, which means even if a company has not released a fix 90 days after being informed by Google, the team will publicly reveal the security vulnerability. The team does offer a grace period in select cases but that hasn't happened with Apple in this instance.
The Project Zero team writes that they found a loophole in the copy-on-write (CoW) protection of macOS, which manages the computer's memory and makes sure that a process doesn't change the data shared by other processes. The team discovered that when a mounted filesystem image is changed directly, macOS doesn't propagate the information to its memory manager. So basically, an attacker can unmount a file system and then remount it with changed data and the system would be none wiser.
The Wired notes that it will be really hard to exploit the flaw disclosed by Project Zero and it needs the prospective victim to already have some kind of malware present on their computer.
Apple is yet to publicly comment on the security flaw, but it is said to be working on patch, which will arrive with a future release.
"We've been in contact with Apple regarding this issue, and at this point no fix is available," the researchers told ZDNet in a statement. "Apple are intending to resolve this issue in a future release, and we're working together to assess the options for a patch."