Nearly five years ago, Google formed its Project Zero research group to reduce the impact of zero-day attacks on users, and since then it has reported numerous bugs to companies such as Apple — notably chastising its rival last October for taking too long to fix bugs, and sneaking details of fixes into already published security advisories. Today, the Project Zero team revealed (via NeoWin) another “high severity” macOS kernel bug that can allow an attacker to take control of a Mac, which it says Apple has left unfixed for 90 days.
If this sounds similar to the last Google-Apple bug situation, it is and it isn’t: Once again, the latest bug could impact millions of Mac users, but this isn’t a case of complete neglect. This bug enables an attacker to quietly modify a mounted disk image, then get the Mac to run the modified code by exploiting macOS’s memory management system.
The reason it’s so severe is that users mount disk images all the time, yet macOS doesn’t re-check the images when it automatically purges and reloads content in the course of managing its limited memory. Because of that, the Mac will have no idea that it’s copying modified and potentially malicious code to be executed.
As dangerous as that sounds, Project Zero says that Apple is aware of the issue and plans to fix it in a future macOS release, though 90 days have already passed since the vulnerability was discovered and reported to the company. The researchers are working with Apple on a patch, but there isn’t a timeline yet for its release.
Beyond Google, Apple has faced criticism recently for its bug-addressing practices. The company apparently ignored multiple user reports of an astonishing bug in FaceTime until news stories and social media posts began to circulate. Last month, a German researcher criticized the company for not offering bug reporting bounties for macOS, and said he was refusing to disclose a serious password-related bug to Apple, but has since changed his mind.