Google's cyber security experts have released a security vulnerability in the core of macOS. This vulnerability, considered "very severe", was first communicated to Apple, which has not yet corrected.
The bug was discovered by computer security researchers at Project Zero, Google . The goal of this team is to track zero-day vulnerabilities, that is to say those that have not yet been exploited or corrected.
But this process seems to suffer from an imperfect implementation in macOS. Project Zero experts have realized that it is possible to modify a system image without the management subsystem being informed. This means that a malicious individual could take advantage of it to corrupt a file, without causing an alert.
However, if Apple has not yet corrected the vulnerability, the company is working with Project Zero experts to do so. The two entities have started a collaboration, which should soon lead to the publication of a security patch.
The bug was discovered by computer security researchers at Project Zero, Google . The goal of this team is to track zero-day vulnerabilities, that is to say those that have not yet been exploited or corrected.
The XNU kernel at the heart of the problem
This time, it's the operating system of Apple macOS that has been pointed out by Google experts. Or more precisely its hybrid nucleus, XNU . The problem comes from the copy-on-write (COW) mechanism . This allows you to create copies of resources shared by different processes, in order to optimize the memory used.But this process seems to suffer from an imperfect implementation in macOS. Project Zero experts have realized that it is possible to modify a system image without the management subsystem being informed. This means that a malicious individual could take advantage of it to corrupt a file, without causing an alert.
The 90-day period elapsed
In accordance with its policy, the Project Zero team began by warning Apple of this vulnerability last November. She then gave the firm 90 days to solve the problem . After the lapse of time, she decided to make public the security breach, in the category "high severity", so that users can take the necessary measures.However, if Apple has not yet corrected the vulnerability, the company is working with Project Zero experts to do so. The two entities have started a collaboration, which should soon lead to the publication of a security patch.