Loading...
Loading...
A macOS TCP networking bug causes kernel TCP state tracking to overflow after roughly 49.7 days of system uptime, which can break networked applications. The flaw doesn’t require individual connections to remain open that long — once uptime crosses the threshold the kernel’s TCP handling begins failing and can disrupt all TCP connections. The issue resurfaced community discussion comparing it to old 49.7-day Windows bugs; scripts were shared to calculate or monitor when a system will hit the cut
A researcher found two macOS Recovery Mode Safari flaws that allow writing to system volumes and persistent root access (CVSS 8.5) and unrestricted file reads (CVSS 4.6). On Sequoia and older, Recovery Safari’s download/location prompt can be abused to save arbitrary files directly onto Macintosh HD and other system volumes without authentication; by controlling Content-Type headers the attacker can preserve filenames/extensions and drop executable payloads. The author demonstrated hosting malicious files and using nonstandard MIME types to bypass Safari’s protections. The bugs matter because Recovery Mode is a high-privilege environment intended for system repair; persistence and data exfiltration from it undermine device security and could defeat local protections. Patches were referenced in linked write-ups.
A researcher found two Safari-in-Recovery vulnerabilities in macOS: one (Sequoia and earlier) lets an attacker save arbitrary files to system volumes from Recovery Mode—enabling persistent root-level implants (CVSS 8.5)—and another (Tahoe) allows unrestricted file reads (CVSS 4.6). The issue arises because Recovery Mode’s Safari can connect to Wi‑Fi and save downloads to mounted persistent volumes (Macintosh HD, Data, Preboot). The researcher demonstrated bypasses including using a nonstandard Content-Type to preserve filenames/extensions and serve malicious payloads from a web server. Apple has since patched the flaws; technical write-ups and proof-of-concept details were published by the finder. This matters because Recovery Mode is supposed to be a trusted, isolated repair environment, and these bugs undermine device integrity and local security.
Root Persistence via macOS Recovery Mode Safari
A macOS TCP networking bug causes kernel TCP state tracking to overflow after roughly 49.7 days of system uptime, which can break networked applications. The flaw doesn’t require individual connections to remain open that long — once uptime crosses the threshold the kernel’s TCP handling begins failing and can disrupt all TCP connections. The issue resurfaced community discussion comparing it to old 49.7-day Windows bugs; scripts were shared to calculate or monitor when a system will hit the cutoff. This matters because long-running macOS systems and servers (including developer machines and networking tools) may unexpectedly lose network functionality and should be rebooted or patched to avoid service disruptions.