Google Shares Details on Unpatched 'High Severity' macOS Kernel Flaw

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Mar 4, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Google's Project Zero team in November found a "high severity" macOS kernel flaw that was recently disclosed (via Neowin) following the expiration of a 90 day disclosure deadline.

    As explained by Google, the flaw allows an attacker to modify a user-owned mounted filesystem image without informing the virtual management subsystem of the changes, meaning a hacker can tweak a file system image without user knowledge.

    [​IMG]
    According to Google, Apple has not yet fixed this issue. Apple is planning to implement a fix in an upcoming software update, however.
    Google released the details on the bug without a fix from Apple because of its Project Zero policies. After discovering a security flaw, Project Zero provides details to the company that makes the software, providing them with 90 days to fix it before disclosure.

    Google then publicly shares details on security flaws when a bug is fixed or when the 90-day deadline expires. Apple was informed of the bug in November, and the 90 day period elapsed without a fix.

    Mac users should, as always, be wary of the files they're downloading to avoid attacks like this, making sure to download files only from trusted sites. It's not known if this is a bug that's easy to exploit, but Google has marked it as severe because it has the potential to bypass macOS safeguards.

    Article Link: Google Shares Details on Unpatched 'High Severity' macOS Kernel Flaw
     
  2. StellarVixen macrumors 68000

    StellarVixen

    Joined:
    Mar 1, 2018
    Location:
    Earth
  3. GreenPixel macrumors member

    GreenPixel

    Joined:
    Aug 21, 2014
    #3
    Any bets on if Apple fixes this within 90 days?
     
  4. Lalov001, Mar 4, 2019
    Last edited: Mar 4, 2019

    Lalov001 macrumors newbie

    Joined:
    Oct 6, 2011
    Location:
    Mexico
    #4
    Seems like Apple's PR department is the only body capable of making Apple's Security Team care about fixing critical bugs.
     
  5. Jimmdean macrumors 6502

    Joined:
    Mar 21, 2007
    #5
    Bugs that don't have real-world exploits yet are probably not front-page worthy...
     
  6. JosephAW macrumors 68020

    JosephAW

    Joined:
    May 14, 2012
    #6
    How does this effect previous MacOS versions? Still running El Capitan because of hardware limitations and compatibility options and 32 bit app support for iOS. Didn't read which Kernels are effected.
     
  7. pallymore macrumors regular

    pallymore

    Joined:
    Sep 24, 2013
    Location:
    Boston, MA
    #7
    They were informed about this back in Nov. Now the 90-day deadline has already passed.
    I'm pretty sure this press release will put more pressure on them to fix this in the next update.
     
  8. eagle33199 macrumors member

    Joined:
    Mar 13, 2007
    #8
    Out of curiosity, has Google's Project Zero disclosed unpatched issues in Google's own software? I've heard of a few directed at Apple products, but none directed at Google's own products...
     
  9. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #9
    The 90 days has already elapsed.
     
  10. GrumpyMom macrumors G3

    GrumpyMom

    Joined:
    Sep 11, 2014
    #10
    A teenager and Google trying to make Macs more secure :eek: and Apple's reported response to them looks like "talk to the hand". :confused:

    What are they doing over in the spaceship? I'm not even remotely technically literate so I'm genuinely curious: is this a sign of internal mismanagement or nothing really of consequence but makes an interesting headline?
     
  11. WannaGoMac, Mar 4, 2019
    Last edited: Mar 4, 2019

    WannaGoMac macrumors 68020

    WannaGoMac

    Joined:
    Feb 11, 2007
    #11
    That's it. Time to switch back to Windows. /s
     
  12. nate13 macrumors 6502

    nate13

    Joined:
    Feb 16, 2004
    Location:
    Fargo, ND
    #12
    I think the likelyhood of being exposed to this venerability is quite low (assuming they need physical possession of your hardware, to start). What brought me to the forum was to say, I'm glad for news like this. Not that venerabilities aren't bad, but because knowing there are teams identifying and resolving these issues is making a secure future for everyone. Sure, there are people who can flame Apple for not fixing sooner (I'm sure there are legitimate reasons, not some dude saying "nah, not today Google"), but that we have a culture that is pushing security is encouraging.

    I'd be interested to know how many negative commenters are knowledgeable in low level kernel/ file system architecture to even reproduce the venerability, let alone patch it to an installed base of millions of users. It's so easy to critique things you don't understand.
     
  13. quatermass macrumors member

    quatermass

    Joined:
    Sep 19, 2009
    #13
    But, but, but... New Emojis! No really, look, over here - new emojis! And thinner too!
     
  14. nate13 macrumors 6502

    nate13

    Joined:
    Feb 16, 2004
    Location:
    Fargo, ND
    #14
    Interesting headline. Low level security venerabilities can have huge implications on the software that runs above them (in this case, everything). If this was a breach that was able to be executed remotely and in a distributed manner, it would be patched immediately.
     
  15. GrumpyMom macrumors G3

    GrumpyMom

    Joined:
    Sep 11, 2014
    #15
    I can't tell if you're joking or serious but I can see some people reading this news and thinking that. Which is why I asked my question in the post before yours.

    With Windows a user's PC is going to get hammered all the time with security threats both commonplace to catch all the technically illiterate unaware and very complex to catch out heavily secured systems.

    How vulnerable are most Mac users really? How easy are the two most recently uncovered exploits implemented? Dramatic news stories are all well and good but how likely is a suburban soccer mom like me to be harmed by this?
     
  16. SecuritySteve macrumors 6502a

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #16
    This kind of stuff happens all the time. Apple is probably working on a fix, or already has a fix in the beta that we just don't know about because CVE details have not been released. Apple fixes vulnerabilities in every single macOS update. Check https://support.apple.com/en-us/HT201222 for details.
     
  17. arkitect macrumors 603

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #17
    By the looks of it, running around in circles…
     
  18. Daveoc64 macrumors 601

    Joined:
    Jan 16, 2008
    Location:
    Bristol, UK
    #18
    Yes. There have been automatic disclosures after 90 days for several Google projects, including Android.
     
  19. centauratlas macrumors 65816

    centauratlas

    Joined:
    Jan 29, 2003
    Location:
    Florida
    #19
    90 additional days? (Since the first 90 day period is gone). Hopefully now that it is public.
     
  20. axantas, Mar 4, 2019
    Last edited: Mar 4, 2019

    axantas macrumors 6502

    axantas

    Joined:
    Jun 29, 2015
    Location:
    Home
    #20

    As an owner of the famous crashing Apple TrashCan (known as MacPro 2013) I have a quite critical look at Apple. However - they are not stupid. They generally know very well, what they are doing (...besides creating new gorgeously colored watchbands). I still kind of trust Apple. NOT acting the appropriate way could be devastating. And I think (in the shareholders sense...) Apple will take the right steps.
     
  21. Kabeyun macrumors 68020

    Kabeyun

    Joined:
    Mar 27, 2004
    Location:
    Eastern USA
    #21
    At this point I have to believe personal computer malware problems come from user foolishness installing something they shouldn’t’ve. No one is out there furiously trying to hack into your desktop. Watch where you visit, what you download, and what you open. Anyone who doesn’t know this by now probably needs an infection as a teaching point.

    But Android’s perfect and Apple is poo poo. Don’t you read MR forums??
     
  22. mi7chy macrumors 603

    mi7chy

    Joined:
    Oct 24, 2014
    #22
    This is what happens when you've spent too much on hiring propagandists instead of security researchers and developers.
     
  23. StellarVixen macrumors 68000

    StellarVixen

    Joined:
    Mar 1, 2018
    Location:
    Earth
    #23
    nothing. This is not priority, as there is low chance of exploitation by someone who has no physical access to your device.


    It needs to be patched, but it is not “red alert”.


    It is not bug that concerns me, it is how Apple treats issues. They can be quiet for months.
     
  24. rforno macrumors newbie

    Joined:
    Oct 18, 2017
    #24
    Courage, people. I'm sure the forthcoming fix will also make OSX even thinner and more beautiful than ever, too.

    But srsly, I agree - on a lot of reported security stuff Apple's corporate ego seems to get the better of them.
     
  25. Darmok N Jalad macrumors 68000

    Darmok N Jalad

    Joined:
    Sep 26, 2017
    Location:
    Tanagra
    #25
    Google has done the same to Windows in the past. It’s all good and fine, but it’s just an arbitrary deadline, one that I don’t believe google enforces on itself. Android’s severe fragmentation (multiple Android versions and various degrees of OEM support) make it very hard to police in the same way that google polices MS and Apple. Sure, they may have fixed an Android exploit, but that fix will only land on the handful of devices that get an actual security update.
     

Share This Page

85 March 4, 2019