Jump to content
Aerosol

Google drops three OS X 0days on Apple

Recommended Posts

Don't look now, but Google's Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple's OS X platform.

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.

Assuming the vulnerabilities remain active in at least some versions of OS X, it wouldn't be the first time Project Zero has gone against a developer's wishes and made unfixed security bugs known to the whole world. The Google-backed program has already published three unpatched vulnerabilities in Windows.

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...