Google's Project Zero Team Releases Details On High-Severity macOS Bug 'BuggyCow'

Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change.

Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Single-user machines

[gnasher719]

On a single user machine, privilege escalations are not really that damaging. If you manage to hack into my user account on my Mac (or my Windows PC, or many Linux desktops), you have access to all the valuables. There is just nothing of value outside my account.

Totally different on a server. If you have 100 users on a server, then escalation from one hacked user to the other 99 is a fatal problem.

Re:Single-user machines

[dgatwood]

Breaching a user account gives you all the user's files, and that's pretty severe, yes. Breaching an admin account lets you change the software that deals with files, and networking, joins a botnet, etc.

Most single-user machines don't have a separate admin account. So breaching the user's account is breaching an admin account. That's why the GP said that for single-user machines, privilege escalation rarely matters.

Of course, it isn't *quite* true. There are processes like the keychain that provide some additional privilege separation between apps. If the keychain happens to store out-of-band mach message data in a vulnerable location, then this could lead to arbitrary code being able to modify keychain requests from other apps to steal passwords somehow. Maybe. But realistically, those sorts of communication mechanisms shouldn't be storing data to disk even temporarily.