Google’s office complex in New York, 2006.
Photo: Mark Lennihan (AP)

Google’s bug-zapping Project Zero team has uncovered what it said was a “high-severity” flaw in the macOS kernel, Wired reported on Monday, and revealed the details on March 1 following the expiration of a 90-day period for Apple to patch the exploit.

The vulnerability, known as BuggyCow, allows for attackers to bypass the protection built into macOS’s copy-on-write (CoW) system, which manages device memory. Essentially, the bug allows for the modification of a user-owned mounted filesystem image without issuing any warnings that something is amiss to the virtual management subsystem—something that Rendition Infosec founder Jake Williams told Wired was like airline passengers carefully watching airport security rifle through their luggage, but those same passengers not bothering to ensure none of their valuables were removed mid-transit upon reaching their destination.


This creates all sorts of vulnerabilities, Project Zero wrote:

XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.

This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.


Wired noted that exploiting the vulnerability would require malware to already be running on a target machine, and even then “could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory.”

According to ZDNet, Google has moved on with publishing the bug after waiting 90 days even though Apple has not yet released a fix, as part of a policy designed to encourage developers to patch their software instead of letting serious problems go unaddressed. Previous bugs nabbed by the Project Zero team have included issues of varying severity within Windows 10 (described as “crazy bad”), Windows 10 S, and Microsoft’s Edge browser.

As Engadget noted, Google sometimes offers 14-day extensions on the 90-day deadline, but apparently declined to do so in this instance.


“We’ve been in contact with Apple regarding this issue, and at this point no fix is available,” one developer wrote the comments under the post. “Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch. We’ll update this issue tracker entry once we have more details.”

This particular vulnerability seems both sophisticated and pretty bad, though given its complexity, the risks for the average user seem unclear. However, Apple has had a number of major bugs pop up in the last few years, such as a 2017 macOS High Sierra bug that allowed users to take over other accounts and gain administrative privileges merely by typing “root” into username fields, and another that year that potentially allowed for the extraction of passwords in plaintext. More recently, a major bug in Facetime allowed for anyone to eavesdrop on other Facetime users.

[Project Zero via Wired/Neowin]