Highlights:
Google’s Project Zero team has publicly disclosed a “high severity” flaw in the macOS kernel. Apple was made aware of the flaw back in November 2018. Google’s Project Zero team has a 90-days disclosure policy. Even if the company (Apple in this case) hasn’t issued a fix for the problem, Project Zero will publicly reveal the security vulnerability. There are special cases where a grace period is allowed.
In the case of the macOS, the flaw is called BuggyCow. According to 9to5 Google, “security researchers have discovered that if a modification is made to a user-owned mounted filesystem image, the virtual management system isn’t notified of those changes. Thus, an attacker can potentially be granted access to perform malicious actions on that mounted filesystem without the end user ever knowing about it until it’s too late.” On the other hand, Wired notes that the for the vulnerability to be exploited, the victim needs to have some kind of malware present on his/her computer.
Apple has reportedly acknowledged the BuggyCow flaw and is working with Google's Project Zero on a fix for the same. However, there is no timeline available as to when the fix will be made available to consumers.
Thomas Reed, a Mac focussed researcher at security firm MalwareBytes told Wired, "They've (Apple) had a lot of very-high-profile security-related bugs and some have been really, really stupid. It makes you wonder what’s going on with the QA process at Apple. Are they adequately testing? Lately, it seems like they’re not."
Apple’s iOS and Macs were affected with a FaceTime bug last month. The bug allowed users to initiate a group FaceTime call to eavesdrop. The bug was found by a 14-year-old who wanted to chat with his friends while playing Fortnite. You can read more about the FaceTime bug here.
Also read:
Password exposing macOS bug found by German teenage hacker who refuses to disclose details to Apple
Researchers discover a new 'Spoiler' flaw in Intel CPU's