A few days ago a ‘text bomb‘ bug was reported for Apple iOS and macOS apps, the issue can crash any Apple iPhone, iPad Or Mac.
Now the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.
The bug ties the way the operating system handles APFS sparse disk images formatted in Apple filesystem format APFS.
An Apple Disk Image is a disk image commonly used by the macOS operating system is “mounted” as a volume within the Finder. It contains the entire contents and structure of a disk volume, such as USB, CD, DVD, hard disk drive, or network share.
Disk images are commonly used by several Mac apps, for example for backup applications or disk cloning.
The expert discovered that APFS sparse disk images don’t properly manage the volume of the “free disk space” from the sparse disk image, the OS doesn’t correctly report “free disk space” respect the real “free disk space” value.
“Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image.” wrote Mike Bombich. “When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.”
Bombich explained that data are written into the void because the OS doesn’t warn users that there is no enough space on the underlying hard drive to contain his data.
As described by the expert, the misleading data are still accessible for a short period after the write operation, unfortunately after the next system reboot exceeding files become corrupted and inaccessible.
Bombich is the author of the Mac backup software Carbon Copy Cloner, according to statistics from his software no many users are affected. The expert says that only 7% of all Carbon Copy Cloner users store backups as sparse disk image files and that only 12% of these 7% use APFS-formatted disk images.
The Carbon Copy Cloner software will not support AFPS-formatted sparse disk images until Apple addresses the vulnerability reported by Bombich.
Below a video PoC of the flaw.
(Security Affairs – APFS, Data Leak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.