Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Shares Details on Unpatched 'High Severity' macOS Kernel Flaw

Westside guy said:
I don't want to sift through hundreds of my own Slashdot posts to find these again, but - when this question came up a couple years ago (another time when Apple took longer than 90 days to fix an exploit), I found several cases where what you state is not true. Project Zero seems to treat severe Google bugs differently than those of other vendors.

As I recall, with one of the bugs Project Zero withheld it for more than a year - only releasing the information after Google had finally patched it.
Click to expand...
You don't need to sift through dated info. They recently disclosed an unpatched bug from Nov 2018. They disclosed in Feb 2019. https://bugs.chromium.org/p/project...strict Reported Vendor Product Finder Summary
There have been other disclosures as well which can be easily found with a cursory google search. Relying on years old info really doesn't paint an accurate picture of what's going on today.
 
  • Like
Reactions: ROGmaster
Baymowe335 said:
Way to not understand what's going on and get the usual first post Mac dig for likes.
Click to expand...

I know exactly what is going on.

You can assume whatever you want. I have notifications enabled for MacRumors, that’s why I catch up with news early.

I wrote this comment out of concern for platform which I have used and loved since the 10.5, and would like to continue doing so, because I cannot imagine myself using anything else. But you are free to believe about me whatever you want.
 
  • Like
Reactions: 9081094
This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem.
Click to expand...

Hmmm. So you have a disc image file - like say those so frequent Flash installer updates. But lets say it has something important on it. You mount the image to work with it. Some secure application is using the mounted image as if it were physical media. It sets up RAM to file mapping. Unbeknownst to you, you have some user mode malware that is watching. At a critical time, the malware directly modifies the disc image file and manipulates the system to cause a reload from the "drive".

I'd say this is a rather broad vulnerability, but with only niche uses. The same malware could have modified the image before it was even in use. The only extra vulnerability is temporal access to the internals of the secure application.
 
  • Like
Reactions: zulkiflim
Kabeyun said:
No one is out there furiously trying to hack into your desktop.
Click to expand...

As someone who manages servers, I can tell you that's not true. Cybercriminals will hijack anything to do their bidding. Massive botnets of infected PCs are the stuff of nightmares for any sysadmin. New waves of attacks spawn as quickly as you can put down the previous wave.

Kabeyun said:
Watch where you visit
Click to expand...

That's not enough. You can very easily get snookered into downloading the wrong software through a deceptively designed banner ad that's showing on a legitimate software download site. You can also get tricked into visiting a shady site through browser hijacking banner ads, which have been known to run on MacRumors from time to time before they're caught.

You can click a link to a site that vanished, but had their domain re-registered by a criminal ring in some Eastern Bloc country to redirect you somewhere to trick you into downloading fake Adobe Flash updates or a tainted Java package.

The "just don't do anything stupid defense" that is commonly passed around MR is a good start, but it isn't much of a defense.
 
  • Like
Reactions: 5105973
HJM.NL said:
I can tell you what’s going on...

Timmy is watching upcoming shows and couldn’t find the time to respond.

Ive is still redecorating it’s office and can’t decide if the curtain would have a golden glow or not.

Phil is busy with its filmmakers crew for the next ‘shot on iPhone’ ad.

Eddy is trying to find the new Bambi for its third remake of carpool karaoke.
[doublepost=1551728166][/doublepost]
You propably don’t watch any Bambi movies Timmy is warning you about :D
Click to expand...

If you hate Apple so much why are you still here? It's kinda like despising your wife and complaining about her all the time. Divorce her already.
 
  • Like
Reactions: G5isAlive
mudflap said:
If you hate Apple so much why are you still here? It's kinda like despising your wife and complaining about her all the time. Divorce her already.
Click to expand...
I’m divorcing you know. But it’s like divorcing your wife, it takes time and it’s expensive :D
 
  • Like
Reactions: makitango
Stella said:
May explain why this bug still isn't fixed after 3 months.
Click to expand...

Every development team has to prioritize. They don't just drop everything they're doing and start different threads of work on a whim unless it's some truly nasty stuff that will lead to catastrophe.

Also, software development is hard. It's very hard. Every fix runs the risk of opening up new holes so that's another reason why things aren't always addressed as a daily fire drill.
 
  • Like
Reactions: zulkiflim
smirking said:
Every development team has to prioritize. They don't just drop everything they're doing and start different threads of work on a whim unless it's some truly nasty stuff that will lead to catastrophe.

Also, software development is hard. It's very hard. Every fix runs the risk of opening up new holes so that's another reason why things aren't always addressed as a daily fire drill.
Click to expand...

Every software projects I've been on, if there's a critical bug or issue we re-prioritize accordingly and get it fixed ASAP. We don't let it linger around.
 
  • Like
Reactions: makitango, zulkiflim and 9081094
hagjohn said:
Sounds more like frustration, instead of hate.
Click to expand...
Yes, being a devoted Apple user since 1989 and I’ve been going through many transitions. Believe me, since 2012 it’s going downhill with my experience with Apple.

And indeed, it’s so bad that I’ve ordered for a divorce. But after investing years, it’s not something that can be done easily. It’s not only hardware but software investment as well.

In a certain way it’s cheaper and more easy to divorce your wife than divorcing Apple.

But I’m working on it :D
 
  • Like
Reactions: makitango, freedomlinux, Hastings101 and 1 other person
Stella said:
Every software projects I've been on, if there's a critical bug or issue we re-prioritize accordingly and get it fixed ASAP. We don't let it linger around.
Click to expand...

Not that I have any idea what Apple's collective codebase looks like nor do I have any idea how sophisticated of a programmer you are, but I think it's safe to bet that anything you or I would be working on looks like a rowboat next to a luxury cruise liner in comparison to what they're dealing with.

Perhaps it's unforgivable they let it go. Or maybe they couldn't move on it until a dependency fell in place. I have no idea so I'm not going to speculate.
 
Last edited:
smirking said:
As someone who manages servers, I can tell you that's not true. Cybercriminals will hijack anything to do their bidding. Massive botnets of infected PCs are the stuff of nightmares for any sysadmin. New waves of attacks spawn as quickly as you can put down the previous wave.



That's not enough. You can very easily get snookered into downloading the wrong software through a deceptively designed banner ad that's showing on a legitimate software download site. You can also get tricked into visiting a shady site through browser hijacking banner ads, which have been known to run on MacRumors from time to time before they're caught.

You can click a link to a site that vanished, but had their domain re-registered by a criminal ring in some Eastern Bloc country to redirect you somewhere to trick you into downloading fake Adobe Flash updates or a tainted Java package.

The "just don't do anything stupid defense" that is commonly passed around MR is a good start, but it isn't much of a defense.
Click to expand...

Agree 100%. Anyone who watches tcpdump on their router's WAN interface will pretty quickly lose the illusion that they are not under attack every moment of every day.
 
  • Like
Reactions: zulkiflim and smirking
Windows XP and prior were a nightmare for viruses and malware. I worked as a PC tech for years and we earned a lot of money removing viruses.

Personally, I haven’t gotten a single virus or malware since getting a windows 7 laptop 9 years ago. Nothing.

I have a Win 7 and Win 10 desktop still (HTPC) and have never gotten anything on either. Really hard to get a virus unless you are careless or open suspicious emails these days. I’ve never run any anti-virus sofware either.

Just thought I’d mention as I think the myth of Windows PCs being easily infected needs to stop.
 
  • Like
Reactions: zulkiflim and 5105973
GreenPixel said:
Any bets on if Apple fixes this within 90 days?
Click to expand...

They already missed the 90 day window, and that is why this info was released publicly.

The premise of your bet needs to be clarified - or most likely you just didn’t catch that part of the article I’m guessing.

Edit: (just like how I missed other post ahead of mine responding already to your post about this 90 days thing). Sorry bout that.
 
Last edited:
smirking said:
As someone who manages servers, I can tell you that's not true. Cybercriminals will hijack anything to do their bidding. Massive botnets of infected PCs are the stuff of nightmares for any sysadmin. New waves of attacks spawn as quickly as you can put down the previous wave.



That's not enough. You can very easily get snookered into downloading the wrong software through a deceptively designed banner ad that's showing on a legitimate software download site. You can also get tricked into visiting a shady site through browser hijacking banner ads, which have been known to run on MacRumors from time to time before they're caught.

You can click a link to a site that vanished, but had their domain re-registered by a criminal ring in some Eastern Bloc country to redirect you somewhere to trick you into downloading fake Adobe Flash updates or a tainted Java package.

The "just don't do anything stupid defense" that is commonly passed around MR is a good start, but it isn't much of a defense.
Click to expand...
I agree broadly, bu Byouve wuoy d me selectively. I never said watch where you visit. I said watch where you visit, watch what you download, watch what you open. You chose to reply to part of that as though it were the whole thing.

And yes, I maintain that there isn’t some army of evildoers out there trying to get into your computer by blindly banking into it. Your answer is not a contradiction to this assertion. Yes, people will hijack anything, but it happens because the user installed something they should not have, allowing their PC to be compromised. No one is hacking into my computer without my first having installed something that will let them. This vulnerability Google reported is just scare tactics.
 
eagle33199 said:
Out of curiosity, has Google's Project Zero disclosed unpatched issues in Google's own software? I've heard of a few directed at Apple products, but none directed at Google's own products...
Click to expand...
This is my point of exactly. And they bury any unfavorable information is their search results.
[doublepost=1551741828][/doublepost]
69Mustang said:
The short answer is yes they do disclose on Google. The longer answer is yes they do. The most recent disclosed vulnerability comes from Nov 2018 https://bugs.chromium.org/p/project-zero/issues/detail?id=1718&q=android&colspec=ID Status Restrict Reported Vendor Product Finder Summary

I think the issue you're experiencing is not a matter of disclosure, but a matter of notoriety. Disclosure is simply making the details of the exploit known. Notoriety comes from some blogger or news site picking up the disclosure and publicizing it. Patched or not, they disclose and news sites sometimes pick up the info. Just not Apple-centric news sites... which is why you may not have heard of the disclosures.
Another forum member posted a question in an earlier article similar to yours.
Click to expand...
So, where are the articles posted on the news?
 
ph001bi said:
I can't tell if you're joking.
Click to expand...
/s means sarcasm.
[doublepost=1551744030][/doublepost]
curmudgeonette said:
Hmmm. So you have a disc image file - like say those so frequent Flash installer updates. But lets say it has something important on it. You mount the image to work with it. Some secure application is using the mounted image as if it were physical media. It sets up RAM to file mapping. Unbeknownst to you, you have some user mode malware that is watching. At a critical time, the malware directly modifies the disc image file and manipulates the system to cause a reload from the "drive".

I'd say this is a rather broad vulnerability, but with only niche uses. The same malware could have modified the image before it was even in use. The only extra vulnerability is temporal access to the internals of the secure application.
Click to expand...
The disk images you download usually contain checksums which allows them to have their integrity verified before being mounted. Malware could probably get around that, but it wouldn't be as easy as just modifying the disk image and letting it mount. By modifying the image AFTER it's mounted, it's able to bypass the integrity check. This is, I believe, what they're talking about.
 
Last edited:
nate13 said:
Interesting headline. Low level security venerabilities can have huge implications on the software that runs above them (in this case, everything). If this was a breach that was able to be executed remotely and in a distributed manner, it would be patched immediately.
Click to expand...

Yeah, this almost isn't exploitable, if I understand the bug correctly:
  • User mounts a filesystem backed by a dmg file.
  • Attacker with write permission on the dmg file modifies it.
  • Attacker uses a huge amount of RAM so that the in-memory copies of the data from the DMG get pushed out.
  • Kernel reads in modified DMG from disk when asked to read blocks from disk.
And in particular, the only definitive impact is when:
  • User runs app that sends Mach messages to another app using out-of-band data backed by a file on a DMG.
  • Attacker with write permission on the dmg file modifies the DMG.
  • Attacker uses a huge amount of RAM so that the in-memory copies of the data from the DMG get pushed out.
  • Kernel reads in modified DMG from disk when asked to provide the contents of that Mach message.
The only realistic exploits I can think of are things like:
  • Tricking the kernel into reloading a code page from an app running from a DMG after modifying it (very hard to exploit) while the app is running (to get around Gatekeeper)
  • Modifying or intercepting Mach messages in flight by mounting a DMG over top of /var/tmp (requires root) or some other location where apps are likely to store this sort of data.
And if you can do the latter, you can probably just use a modified kernel to do the same thing.

I'm really curious why this is considered high severity. At a glance, I would have called it a nuisance-level security bug.


Emanuel Rodriguez said:
/s means sarcasm.
[doublepost=1551744030][/doublepost]
The disk images you download usually contain checksums which allows them to have their integrity verified before being mounted. Malware could probably get around that, but it wouldn't be as easy as just modifying the disk image and letting it mount. By modifying the image AFTER it's mounted, it's able to bypass the integrity check. This is, I believe, what they're talking about.
Click to expand...

This is actually about modifying things that are temporarily stored on a DMG by modifying the underlying volume. If this were about modifying a DMG to avoid integrity checks, an attacker could just disable the checksum or substitute another volume with a valid checksum. Those checksums are to prevent corruption, not modification. Code signatures, on the other hand....
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back