Google's Project Zero security disclosure program is once again proving to be a double-edged sword. The company has detailed a "high severity" macOS kernel flaw that lets people modify a user-mounted file system image without the virtual management subsystem being any the wiser, theoretically letting an attacker go unnoticed by users. Apple is working on a patch, but the disclosure ahead of the fix could leave Mac users vulnerable until it's ready.
The less-than-ideal timing stems in part from how Project Zero works. Google notified Apple of the bug in November 2018, but its automatic 90-day disclosure policy means that it will publicize security vulnerabilities whether or not a fix is in place. While the company does offer a 14-day grace period for companies who don't think they'll have patches ready in time, Apple didn't necessarily qualify for this reprieve. We've asked both Apple and Google for comment.
It's not clear how easy this would be to exploit in the wild. In the meantime, you'll likely want to be particularly careful about the sites you visit and the files you download. A successful attack could theoretically make serious changes to macOS without tripping system-level safeguards, and you might not be aware of the damage until considerably later.