About the Speaker

How do Apple developers copy files? Do they rely on “NSFileManager” or the foundational C-language APIs? And just how secure are these ubiquitous methods?

In this presentation, we will talk about how we discovered a critical race condition vulnerability lurking in Apple’s core file-copy APIs. Since these vulnerable APIs are heavily used by Apple developers and Apple itself, almost all Apple devices are affected, including macOS, iOS, watchOS, and more.

More interestingly, Apple was aware of the security risk and warned developers about it in the API documentation. But they did nothing because they thought it would be almost impossible to exploit the issue due to the race condition’s microscopic time window.

Luckily, we've come up with some new tricks and developed a reliable exploit program that abuses this vulnerability in a privileged system service to steal arbitrary users' secrets.

While Apple addressed this vulnerability as CVE-2024-54566 (pending publication), we discovered the patch was insufficient – it can still be trivially bypassed using the same tricks. A second patch is scheduled for release this summer. At last, we are going to discuss Apple’s final solutions.

Mickey Jin (@patch1t) is an independent security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research.

Over the past few years, he has received over 250 CVEs from Apple, Inc.
He was also a speaker at various conferences such as HITB2021SIN/HITB2022SIN, PoC2022/PoC2024, and Objective By The Sea v6/v7.