Google Project Zero Targets macOS Kernel

Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a program to identify bugs and security vulnerabilities. This process, also known as fuzz testing, helps uncover defects like buffer overflows, denial-of-service issues, and cross-site scripting vulnerabilities by causing the system to crash or behave unexpectedly. The technique originated in 1988 at the University of Wisconsin–Madison when a professor's program crashed due to "noise" from a thunderstorm on a dial-up connection. Kernel extensions, or kexts, are bundles of code that load directly into the macOS kernel to expand its functionality, allowing software to interact directly with hardware. This deep access, however, poses significant security risks, as a vulnerability in a kext could compromise the entire operating system. In response, Apple has been transitioning away from kexts towards System Extensions, which run in the more secure user space, a move that began with macOS Catalina in 2019. Project Zero has a history of scrutinizing Apple's security, including a 2019 disclosure of a two-year-long hacking campaign that targeted thousands of iPhones through compromised websites. That campaign utilized five distinct exploit chains and 14 vulnerabilities, seven of which were in the Safari browser and five in the kernel, to install a monitoring implant. In a separate instance, Project Zero discovered zero-click vulnerabilities in Apple's Image I/O framework across multiple operating systems. More recently, the team analyzed the "FORCEDENTRY" exploit used by NSO Group, which they described as one of the most technically sophisticated exploits ever seen. Hardware-accelerated AV1 decoding offloads the processing of the AV1 video codec from the CPU to the GPU, resulting in lower power consumption and smoother playback. While this improves performance, it also introduces a new potential attack surface at the hardware level. The Alliance for Open Media, which includes Apple, Google, and others, developed the royalty-free AV1 codec as an open-source alternative to proprietary formats like H.265. Apple introduced support for AV1 hardware decoding in its A17 Pro and M3 chips. The focus on Apple's latest silicon is significant, as researchers have recently identified other hardware-level vulnerabilities. In early 2025, security researchers disclosed "SLAP" and "FLOP," two side-channel attacks impacting M2, M3, A15, and A17 chips that exploit speculative execution to potentially steal data. Another unpatchable vulnerability, dubbed "GoFetch," was discovered in M1, M2, and M3 chips, which could allow attackers to extract secret encryption keys.