Latest in Gear

Image credit:

Google discloses 'high severity' Mac security flaw ahead of patch

The vulnerability could let attackers mess with the file system in secret.
Jon Fingas, @jonfingas
March 4, 2019
Share
Tweet
Share

Sponsored Links

Devindra Hardawar/Engadget

Google's Project Zero security disclosure program is once again proving to be a double-edged sword. The company has detailed a "high severity" macOS kernel flaw that lets people modify a user-mounted file system image without the virtual management subsystem being any the wiser, theoretically letting an attacker go unnoticed by users. Apple is working on a patch, but the disclosure ahead of the fix could leave Mac users vulnerable until it's ready.

The less-than-ideal timing stems in part from how Project Zero works. Google notified Apple of the bug in November 2018, but its automatic 90-day disclosure policy means that it will publicize security vulnerabilities whether or not a fix is in place. While the company does offer a 14-day grace period for companies who don't think they'll have patches ready in time, Apple didn't necessarily qualify for this reprieve. We've asked both Apple and Google for comment.

It's not clear how easy this would be to exploit in the wild. In the meantime, you'll likely want to be particularly careful about the sites you visit and the files you download. A successful attack could theoretically make serious changes to macOS without tripping system-level safeguards, and you might not be aware of the damage until considerably later.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

T-Mobile’s TVision is a cable-cutting package for its mobile customers

T-Mobile’s TVision is a cable-cutting package for its mobile customers

View
Researchers 3D-printed a cell-sized tugboat

Researchers 3D-printed a cell-sized tugboat

View
PlayStation 5 first look: At home with Sony’s new console

PlayStation 5 first look: At home with Sony’s new console

View
'Cyberpunk 2077' is delayed again, this time to December 10th

'Cyberpunk 2077' is delayed again, this time to December 10th

View
The $179 Amazfit GTR 2 and GTS 2 come with always-on displays

The $179 Amazfit GTR 2 and GTS 2 come with always-on displays

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr