Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown.
Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.
At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures — which also include proof-of-concept code — were first noticed by ArsTechnica.
Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.
As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable — meaning a malicious actor would already need access to a machine — but they could be used in combination with other attacks to escalate the attacker's privileges.
Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
On Topic: Mac OS X
- Anticipating WWDC 2016: What's in store for Apple's Macs and OS X
- Pixelmator for Mac gets new Quick and Magnetic selection tools, Retouch extension for Photos
- Apple drops new betas for OS X 10.11.6, iOS 9.3.3, and tvOS 9.2.2
- Apple might let users unlock Mac via Touch ID on iPhone with OS X 10.12
- Leaked screens show Siri in Apple's upcoming OS X 10.12 with always-on 'Hey Siri'