There is a vulnerability in the macOS kernel an attacker could leverage to end up making changes to data, researchers said.
The issue starts all in the way the copy-on-write feature is in macOS which makes it possible for a user to make changes to a mounted file system image without the operating system to be aware of them, said researchers at Google Project Zero.
“This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
“This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.
MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem,” researchers said in a post.
Google reported the issue to Apple in late November and after 90 days if the vulnerability is not fixed, they release the details. Apple said, however, they are working on a fix.