Specialists at Google Project Zero found a vulnerability in the macOS kernel. It is associated with the implementation of a copy-on-write mechanism in the system, used for operating with copies of memory. An attacker can change files in a mounted macOS file system image without the file system warning and get the execution of malicious code.
This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.
Google Project Zero team
The Google Project Zero team reported to Apple about their discovery back in November last year, but for 90 days the company failed to solve the problem, so the experts published information and the PoC-code exploit.