Justin Sullivan/Getty Images
- Google’s Project Zero security team have uncovered a MacOS security flaw before Apple had time to fix it.
- The team nicknamed the flaw "BuggyCow" after the feature it exploits.
- It’s another security embarrassment for Apple.
Google’s team of security researchers, called Project Zero, have uncovered a rare security flaw for Apple’s computer operating system MacOS.
Google’s team uncovered the previously undisclosed bug, known as a zero-day exploit, and gave Apple a 90-day deadline to fix it before they went public with the details.
Apple didn’t respond after 94 days and the team posted the exploit in a forum post, revealing that they had nicknamed it "BuggyCow."
As noted by The Register, the bug allows malware already running on the victim’s Mac, or a rogue logged-in user, to gain access to the more protected bits of their computer. The Mac would already need to be compromised in some way, so the victim would already be in trouble before anyone actually exploited the bug.
Project Zero researcher Ian Beer demonstrated the flaw in a proof-of-concept code — meaning it’s open for anyone to see, and it directly impacts a major rival to Google.
The "BuggyCow" name stems from a hole in MacOS’ copy-on-write, or CoW, feature. The issue would allow malware or a rogue user to modify files without triggering any warnings.
Researcher Jann Horn wrote on 28 February that there was no fix from Apple.
"We’ve been in contact with Apple regarding this issue, and at this point no fix is available," he wrote. "Apple are intending to resolve this issue in a future release, and we’re working together to assess the options for a patch."
The Project Zero team has a habit of revealing major security flaws that affect big tech firms, and its strict three-month deadline for those firms to fix the issues has been criticised as foolhardy.
But Apple has had a number of security embarrassments recently. There was the FaceTime bug that allowed another user to listen in to calls, and the "root" bug that let anyone log into a Mac with a blank password.
Mac security specialist at Malwarebytes Thomas Reed told Wired that some of the problems could have been avoided.
"They’ve had a lot of very-high-profile security-related bugs and some have been really, really stupid," he said. "It makes you wonder what’s going on with the QA process at Apple. Are they adequately testing? Lately, it seems like they’re not."
- From new iPhones to foldable phones, these are the top smartphones we can’t wait to see in 2019
- YouTube’s cable TV alternative now has more than 1 million paying subscribers
- Microsoft is putting the final nail in the coffin for its Apple Watch competitor, and offering partial refunds to anybody still using it