Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]

Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.

At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures —  which also include proof-of-concept code — were first noticed by ArsTechnica.

Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.

As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable —  meaning a malicious actor would already need access to a machine —  but they could be used in combination with other attacks to escalate the attacker's privileges.

Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.