Google’s Project Zero reveals three new zero-day exploits in Apple’s OS X
Google’s Project Zero reveals three new zero-day exploits in Apple’s OS X
Altruistic or malicious? Google’s Project Zero team seems dedicated to discovering programming issues (or vulnerabilities) on various platforms, and now they’ve disclosed three vulnerabilities on the OS X platform which don’t appear to be critical at first glance, as all three require the attacker to already have some access to the targeted machine.
It seems that the first vulnerability involving "networkd 'effective_audit_token' XPC," has already been resolved in OS X Yosemite, but Apple doesn’t discuss security matters with the press, and the Google advisory doesn’t quite make this explicit.
What it does include however, is proof-of-concept code that could be used to combine the exploits with a separate attack to gain control over vulnerable Macs by remotely elevating user privileges. Ars Technica reports that the vulnerabilities were first reported to Apple on October 20, October 21, and October 23rd 2014, so these advisories are being published after the 90-day grace period Project Zero gives developers before making reports public.
In this case, Apple’s upcoming OS X 10.10.2 is said to contain patches for the IOKit vulnerabilities reported so it remains to be seen if Apple will issue any official response to the postings, but an earlier report by Project Zero on a Windows 8.1 vulnerability just two days before Microsoft’s usual ‘patch Tuesday’ irked the software giant enough to issue a full statement on their blog, saying “the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result”.
Whatever it is, it seems like Google’s Project Zero team is going to continue to plough away at any new software releases, and hopefully anything they find gets patched soon enough so they become a watch dog for better software rather than a library of potential exploits. Either way, keep up with your software updates!
Sources: Ars Electronica, Apple Insider, Google Security Research, iMore