Google revealed a severe macOS kernel flaw that could allow attackers to take malicious action without being detected by the system.
The kernel flaw allows attackers to modify user-owned mounted filesystem images without notifying the virtual management subsystem. In other words, an attacker could potentially perform malicious actions on that mounted filesystem without alerting macOS protection systems or the user until its too late.
Google disclosed the details of the vulnerability through its Project Zero security disclosure program. Unfortunately, the project’s automatic 90-day disclosure policy means Google revealed the vulnerability before Apple managed to patch it.
Project Zero informed Apple of the flaw in November 2018, and the Cupertino-based company is working on a patch, but macOS users will be vulnerable until it’s ready.
That said, it’s not clear how easily attackers could exploit the flaw in the wild. Easy or not, macOS users will want to be cautious when downloading files and visiting websites — if an attacker exploits the vulnerability, they could do severe damage to macOS.
This flaw follows another macOS vulnerability with its Keychain software that could allow attackers to obtain stored passwords and other sensitive data.