Google reveals major macOS vulnerability, but Apple remains indifferent

About five years ago, Google established the Project Zero research group to reduce the impact of zero-day attacks on users. Google has since reported numerous vulnerabilities to companies like Apple. Now, the Project Zero team has disclosed another "very serious" macOS kernel vulnerability. Apple actually left this vulnerability open for 90 days.

Google explained that this vulnerability allows an attacker to modify a mounted file system image owned by the user without notifying the virtual management subsystem of changes, which means that the hacker can modify the file system image without the user's knowledge.

According to Google, Apple has not yet resolved the issue. Some foreign media have contacted Apple about this issue, but there is currently no solution. Apple intends to address this issue in a future version update.

Why did Google disclose the vulnerability before Apple provided a solution? This ties into the principles of the Project Zero team. The team provides details to the software development company after discovering a security flaw, and there is a 90-day grace period before disclosure occurs once the window has passed, regardless of whether the vulnerability has been fixed.

In addition to being criticized by Google for being too slow to address vulnerabilities, Apple has recently been criticized for its approach to fixing vulnerabilities. It apparently ignored a shocking vulnerability in its video calling software, FaceTime, despite multiple users reporting it to it. It wasn't until news reports and social media posts began to highlight the security flaw that Apple began to take it seriously.

It's unclear whether the flaw is easily exploitable, but Google marked it as "critical" because it has the potential to bypass macOS security measures. Therefore, it is recommended that Mac users try to choose trusted sources when downloading files to reduce the possibility of being attacked.