When Google's team of ninja bug-hunting researchers known as Project Zero finds a hackable flaw in somebody else's code, they give the company responsible 90 days to fix it before going public with their findings—patched or not. So like clockwork, 94 days after Google alerted Apple to a bug in its MacOS operating system that could allow malware to inject data into the most privileged code running on its computers, Mountain View's hackers are revealing that fresh zero-day vulnerability to the world.
On Friday, Google's Project Zero researchers quietly published a forum post outlining a previously unknown vulnerability in MacOS, which they call BuggyCow, in a piece of proof-of-concept demonstration code. The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac.
"I don't doubt for a minute this is serious."
Jake Williams, Rendition Infosec
The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory. Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes—some of which could be more highly privileged, sensitive programs than the one requesting the change.
Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive—basically loading a whole collection of files rather than altering just one—the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using.
Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec, compares the bug to how airline passengers carefully watch TSA agents if they open their luggage to inspect it but forget about their bags as soon as they're out of sight. "You pick up your suitcase at the airport, and you don’t go through it," he says. "You assume those contents haven’t changed, but you and I both know the contents do change, and that’s the vulnerability."
Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it.
How Serious Is This?
To even start carrying out this Rube Goldberg–style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory.
In typically cryptic fashion, Google's Project Zero team didn't respond to WIRED's request for comment. But Williams speculates that the researchers likely already had in mind a target application that would allow malicious hackers to do something dangerous with their technique, although he didn't himself immediately know what it might be. "I don't doubt for a minute this is serious," Williams says. "I have very little question that there are things out there that are vulnerable to this."
Thomas Reed, a Mac-focused researcher at security firm MalwareBytes, points out that BuggyCow might be able to rewrite not only data used by highly privileged programs, but code too. "If a program left something like loadable code libraries in some kind of disk-based storage, that would be a prime target," Reed says. "Malware could write code into that and then use that to get the code executed with higher privileges."
BuggyCow continues Project Zero's practice of publicly dropping serious, unpatched security vulnerabilities in the code of major tech firms, from Apple and Facebook to Microsoft, a habit that has earned it occasional criticism from the security industry. But the group's strict 90-day deadline, Google has argued, is intended as a powerful motivator for other companies to patch their flaws quickly—an important factor given that Project Zero isn't always the only group of hackers who discover a vulnerability.
In fact, Project Zero notes that it first warned Apple about its BuggyCow flaw back in November and that the company hadn't acted to patch it ahead of last week's public reveal. Apple didn't respond to a request for comment.
Apple's latest hackable flaw and the company's three-month failure to patch it, both Williams and Reed point out, is the latest in a long series of security embarrassments for the company. Over the past two years, the security community has dug up flaws in Apple's code that allowed anyone to escalate their privileges on a Mac simply by typing "root," another that displayed a user's hard disk encryption password where the password hint was supposed to be, and most recently a bug that allowed FaceTime callers to listen through the microphones of devices they called before the call's recipient picked up.
"They've had a lot of very-high-profile security-related bugs and some have been really, really stupid," Reed says. "It makes you wonder what’s going on with the QA process at Apple. Are they adequately testing? Lately, it seems like they’re not."