Google Reveals Rare macOS Zero-Day Vulnerability, BuggyCow
Sivan Nir Mar 8, 2019
On November 30, 2018, Google’s Project Zero researchers discovered BuggyCow, a high-severity security flaw in the macOS kernel. They gave Apple a 90-day deadline to patch the issue: a deadline that, in this instance, was missed. As a direct result of Apple’s inaction, Google’s team revealed details about the flaw and posted a proof-of-concept on March 1, 2019.
What is BuggyCow?
BuggyCow is a vulnerability which allows remote attackers to bypass copy-on-write (COW) protection used by OS file systems which manage device memory. The memory manager helps to coordinate multiple processes, and it’s within this coordination that the flaw lies: when one of the processes attempts to change data, it copies the data from the memory to the hard disk. This makes it possible for attackers to rewrite the data, or to insert malicious code.
This flaw isn’t a massively open goal. In order to exploit it, a hacker would need their victim to already have some form of malware running on their computer. This malware might then be able to change the copied data in a way that’s invisible to the file system, but only if it was able to find a highly privileged program that keeps its sensitive data on the hard drive instead of storing it in memory.
If all of these conditions are met, then BuggyCow might then be able to rewrite the data used by this program and, if the program has left loadable code libraries in disk-based storage, it might also be able to rewrite the code.
BuggyCow’s Predecessor: Remember Dirty COW?
This isn’t the first time that a copy-on-write mechanism has been vulnerable. Back in October 2016, a privilege escalation vulnerability in Linux Kernel (CVE-2016-5195), dubbed Dirty COW, was exploited in the wild. It allows local users to gain root access by leveraging incorrect handling of a COW and can be used to root any Android device up to Android 7. COW exploits are high severity and should be patched quickly. It’s worrying, therefore, that Apple failed to act when the issue was first raised.
Apple’s Inaction is Cause for Concern
It’s been a tricky couple of years for Apple, a company renowned for its lack of zero-days. This year, it was stung by a FaceTime bug that allowed users to access and activate another user’s camera and microphone. Like with BuggyCow, Apple was called out for a lack of rapid action. Back in 2017, it was also hit by a “root” bug that let anyone log into a Mac with a blank password.
The 90-day grace period that Google gives before it publishes vulnerabilities was created to allow companies enough time to fix bugs themselves. There should be a strong motivation to do so: businesses and users are becoming increasingly security-conscious and will be more willing to work with technology providers which are able to demonstrate that they have robust security procedures in place. This is something that Apple has failed to do with BuggyCow.
It’s important to note that Apple isn’t the only company which has let a vulnerability as serious as BuggyCow go unpatched. Microsoft has also fallen foul of lagging patch times in the past. These slips haven’t gone unnoticed and have dealt some damage to the brands’ reputations. Unless Apple tightens up its patching procedures, it’s unlikely that Google is going to lose its upper-hand in the cybersecurity battle between the tech giants anytime soon.
New FaceTime Bug Allows Audio, Video Eavesdropping: The FaceTime Bug allowing unauthorized microphone and camera access is the latest chapter in Apple’s information disclosure story
ZNIU: Mobile Malware and Dirty COW: How a Dirty COW steals your information and your money