Skip to main content

Apple left another big macOS security hole open for 90 days, Google says

The 2016 13-inch MacBook Pro with Touch Bar, running macOS Sierra.
Image Credit: Michael O'Donnell/VentureBeat

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Nearly five years ago, Google formed its Project Zero research group to reduce the impact of zero-day attacks on users, and since then it has reported numerous bugs to companies such as Apple — notably chastising its rival last October for taking too long to fix bugs, and sneaking details of fixes into already published security advisories. Today, the Project Zero team revealed (via NeoWin) another “high severity” macOS kernel bug that can allow an attacker to take control of a Mac, which it says Apple has left unfixed for 90 days.

If this sounds similar to the last Google-Apple bug situation, it is and it isn’t: Once again, the latest bug could impact millions of Mac users, but this isn’t a case of complete neglect. This bug enables an attacker to quietly modify a mounted disk image, then get the Mac to run the modified code by exploiting macOS’s memory management system.

The reason it’s so severe is that users mount disk images all the time, yet macOS doesn’t re-check the images when it automatically purges and reloads content in the course of managing its limited memory. Because of that, the Mac will have no idea that it’s copying modified and potentially malicious code to be executed.

As dangerous as that sounds, Project Zero says that Apple is aware of the issue and plans to fix it in a future macOS release, though 90 days have already passed since the vulnerability was discovered and reported to the company. The researchers are working with Apple on a patch, but there isn’t a timeline yet for its release.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Beyond Google, Apple has faced criticism recently for its bug-addressing practices. The company apparently ignored multiple user reports of an astonishing bug in FaceTime until news stories and social media posts began to circulate. Last month, a German researcher criticized the company for not offering bug reporting bounties for macOS, and said he was refusing to disclose a serious password-related bug to Apple, but has since changed his mind.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.