AppleInsider Staff
An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown.
Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.
At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures — Â which also include proof-of-concept code — were first noticed by ArsTechnica.
Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.
As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable —  meaning a malicious actor would already need access to a machine —  but they could be used in combination with other attacks to escalate the attacker's privileges.
Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
William Gallagher
Christine McKee
Sponsored Content
Malcolm Owen
Andrew Orr
Wesley Hilliard
70 Comments
I wonder how many zero-day exploits they'd find in Android. Maybe they should turn their attention to that. That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
I wonder how many zero-day exploits they'd find in Android. Maybe they should turn their attention to that.
That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
I believe their job is to investigate issues in software the Google engineering group encounters when interacting with other products while issues within Android are handled directly by that dept, but I could be wrong as I haven't done much digging into them.
It's a love-hate. They do great and important work, but they are also very willing to skirt the edge of ethical public disclosure for what they see is the greater good (forcing developers to patch their code). Unfortunately, though, these things aren't often black and white and I'm sure many scenarios that pass the 90 day "limit" are in that grey zone.
And 35 other bugs that Project Zero notified Apple about and were fixed.
And 35 other bugs that Project Zero notified Apple about and where fixed.
were, not where
Comment on a blog....not english class!