Google’s Project Zero Discloses 3 Active OS X Bugs

Posted by at 1:46 pm on January 26, 2015

Project Zero has done it again: Google’s private security research team has discovered and disclosed three zero-day flaws in Apple’s OS X platform — before Apple patched them.

The three flaws are all relatively low-level. To exploit them in real life, attackers would need some sort of pre-established access to the target’s computer. But Google’s decision to disclose the flaws before a patch was ready shows how serious the company is about its Project Zero initiative, and what that commitment means for its rivals.

The three flaws are documented on Project Zero’s website. One pertains to OS X’s “effective audit token” (and may already be fixed in OS X Yosemite); one has to do with a null pointer that was causing a kernel code flaw; and another has to do with kernel memory corruption. Google says it informed Apple of the flaws on Oct. 20, 21 and 23 of 2014, respectively; Project Zero gives companies 90 days after notification to patch flaws.

Apple has not commented about the flaws or when they might be patched. The company rarely speaks about security issues.

Project Zero disclosed three flaws in Microsoft software. Microsoft wasn’t pleased.

“We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon,” wrote Microsoft’s Chris Betz in a Jan. 11 blog post on the Microsoft Security Response Center.

When Project Zero finds a flaw in a piece of software, its policy is to privately inform the software developers, and then give the developers 90 days to fix it. After that window, the bug becomes public knowledge, informing both the users of the software who need to protect themselves and malicious hackers who might pounce on the information to exploit the flaw.

Project Zero holds strictly to its 90-day grace period, and so far has not granted any known exemptions.

Leave a Reply

Sign Up For Our Newsletter

Sign up to receive breaking news
as well as receive other site updates

Enter your Email

Preview | Powered by FeedBlitz

Log in

Copyright © 2008 - 2024 · StreetCorner Media , LLC· All Rights Reserved ·