Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown.
Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.
At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures — which also include proof-of-concept code — were first noticed by ArsTechnica.
Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.
As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable — meaning a malicious actor would already need access to a machine — but they could be used in combination with other attacks to escalate the attacker's privileges.
Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
On Topic: Mac OS X
- Safari 10 brings fast, native App Extensions to the macOS browser, web content
- Inside APFS: new Apple File System detailed at WWDC to replace HFS+ in 2017
- Apple releases Safari 10 beta for OS X El Capitan and OS X Yosemite
- E3 2016: 'Block'hood' represents the Mac at console-dominated gaming show
- Inside Sierra: How Apple Watch 'Auto Unlock' will let you jump straight into macOS