Google reveals BuggyCow macOS security flaw

Google’s Project Zero researchers have revealed a “high severity” macOS security flaw nicknamed ‘BuggyCow’ that Apple appears to be in no rush to patch.

The vulnerability is in the way macOS implements a memory optimisation and protection routine used by all OS file systems called copy-on-write (COW).

The principle behind COW is that it provides a way for different processes to efficiently and securely share the same data object in memory until they need to modify it in some way – at that point, they must make their own copy of the data rather than changing the data in memory.

Writes Google’s Jann Horn:

It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.

Using BuggyCow, malware already running on a Mac might be able to tamper with the copy of the data written to the disk in a way that is invisible to the file system:

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

If that related to a privileged process, that might be a route to a privilege escalation capable of interfering with sensitive data.

The specific mechanism used in the researchers’ proof-of-exploit involves unmounting and remounting the file system, which apparently generates no warning via the memory management layer.

The obvious objection is that a Mac that has malware on it capable of launching this kind of attack is already in deep trouble even without this somewhat involved technique being in the public domain.

But perhaps that’s to miss the most intriguing aspect of this story – the way Apple has reacted (or not) to Google telling it about the problem.

Deadline missed

Project Zero told Apple about the vulnerability on 30 November 2018 which means that Project Zero’s 90-day deadline for the company to address the issue expired on 28 February.

Doubtless, Apple has something in the works but either has other things to fix first or doesn’t want to be rushed despite the Google team rating its severity as “high”. Writes Horn, rather hopefully:

We’ve been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.

Apple has yet to comment on the flaw but if you’re a macOS user, there’s no need to panic. It’s on the to-do list.

It’s not the first time COW has been in the news. In 2016, a flaw in the Linux kernel dubbed DirtyCOW (CVE-2016-5195) emerged that could allow root access – another version of the same privilege escalation weakness.