Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]

Posted:
in macOS edited January 2015
An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown.




Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.

At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures --?which also include proof-of-concept code -- were first noticed by ArsTechnica.

Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.

As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable --?meaning a malicious actor would already need access to a machine?--?but they could be used in combination with other attacks to escalate the attacker's privileges.

Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
«134

Comments

  • Reply 1 of 70
    elijahgelijahg Posts: 610member
    I wonder how many zero-day exploits they'd find in Android. Maybe they should turn their attention to that.

    That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
  • Reply 2 of 70
    nobodyynobodyy Posts: 377member
    Quote:
    Originally Posted by Elijahg View Post



    I wonder how many zero-day exploits they'd find in Android. Maybe they should turn their attention to that.



    That said, Apple should have fixed these by now if they really were properly notified 90 days ago.



    I believe their job is to investigate issues in software the Google engineering group encounters when interacting with other products while issues within Android are handled directly by that dept, but I could be wrong as I haven't done much digging into them.

     

    It's a love-hate. They do great and important work, but they are also very willing to skirt the edge of ethical public disclosure for what they see is the greater good (forcing developers to patch their code). Unfortunately, though, these things aren't often black and white and I'm sure many scenarios that pass the 90 day "limit" are in that grey zone.

  • Reply 3 of 70
    maltamalta Posts: 78member

    And 35 other bugs that Project Zero notified Apple about and were fixed.

  • Reply 4 of 70
    Quote:

    Originally Posted by malta View Post

     

    And 35 other bugs that Project Zero notified Apple about and where fixed.




    were, not where

  • Reply 5 of 70

    Comment on a blog....not english class!

  • Reply 6 of 70

    Google is a joke. They don't care about compatibility issues or stability, so they live in a fantasy world where you can shove a patch out the door whenever you want. Real companies like Microsoft and Apple have to do actual testing of patches, whereas Google claims every product is a beta, so no one can complain it doesn't work.

     

    And there probably isn't a database large enough to hold all of Android's exploits and flaws.

  • Reply 7 of 70
    Doesn't Google have a ton of issues with android apps?
  • Reply 8 of 70
    pfisher wrote: »
    Doesn't Google have a ton of issues with android apps?

    They just stop supporting if when it gets overwhelming.
  • Reply 9 of 70
    "and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."

    Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?
  • Reply 10 of 70
    pfisher wrote: »
    Doesn't Google have a ton of issues with android apps?
    They do, this is just an attempt at deflection.

    While this division does serve a worthy purpose, lately they have been putting end-users safety in jeopardy by releasing technical details of these discovered exploits before letting the manufacturers patch them. Though it has been 90 days, they should've reached out to Apple (and Microsoft for another instance like this over the last few days) and attempted to clarify if a patch was indeed in the works, and perhaps adjusting the release of this information to after the patch release date.

    Their actions are unethical, but then again, this is Google we're talking about here...
  • Reply 11 of 70
    "and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."

    Well, that could have been prevented had you released the patch three days earlier, now wouldn't it have, Microsoft?
    This is a bit of a short-sighted statement... Like someone here said, companies like Microsoft and Apple need to test their patches before releasing them onto hundreds of millions of machines. If Microsoft needed 3 more days of testing before release, I'd have given them those 3 days to ensure a patch that doesn't start BSoD'ing machines all around the planet.
  • Reply 12 of 70
    Quote:

    Originally Posted by macinthe408 View Post



    "and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."



    Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?



    Microsoft had a patch, but they also have a monthly patch cycle demanded by their business clients. Microsoft asked for a 2 day extension so the patch would be available when announced but Google went ahead and released the information anyway.

     

    For a company that just lives in a continuous Beta cycle maybe it is ok to just dump out patches whenever. For a company that is supporting real businesses that isn't a good model - one reason I'd never use Google services in a business environment.

  • Reply 13 of 70
    gatorguygatorguy Posts: 18,907member
    EDIT:
    NVM. Nothing gained from replying
  • Reply 14 of 70
    gatorguy wrote: »
    So perhaps Google should just give them 4 months instead of three. Or if 4 isn't enough how about 5? The whole point of the project is to keep users safe by prodding the developer to patch their holes in a somewhat timely manner. You really think allowing 3 months is too much of a burden for the code originator?
    That's yet another extremely arrogant, and short-sighted comment...

    Are you one of the developers on the Windows or OS X teams? Do you know how complex it must be to patch a piece of software that is comprised of MILLIONS of lines of code? Do you know how much testing must be done to ensure it doesn't break a product used by MILLIONS of business and consumers around the entire planet? I highly doubt it, so what makes you think you (or even anyone here, including myself for that matter) can make such pretentious and assuming comments without ZERO foundational knowledge?

    Another thing, Microsoft was just THREE DAYS away from releasing the patch in that case, and had requested an appropriate extension, instead Google thumbed their nose at the safety of end users, and released the exploit into the wild before MS was ready. That is completely unacceptable. In the case of Apple, again, we don't know how complex this issue was to fix, or how much time they needed to test the fix to ensure they didn't cause any additional issues as a result.
  • Reply 15 of 70
    cpsrocpsro Posts: 2,350member

    Come on. Let's give Google a little lovin'!

    http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

     

    How many of these are 1000-day exploits? How many Android handset owners haven't any opportunity (or clue how) to patch them?

  • Reply 16 of 70
    cpsro wrote: »
    Come on. Let's give Google a little lovin'!
    http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

    How many of these are 1000-day exploits? How many Android handset owners haven't any opportunity (or clue how) to patch them?
    This wins the Internet for the day!
  • Reply 17 of 70
    gatorguy wrote: »
    EDIT:
    NVM. Nothing gained from replying
    Nice to see you're not even willing to stand behind your comment and instead delete it, sheesh :no:
  • Reply 18 of 70
    xixoxixo Posts: 414member
    scartart wrote: »
    For a company that is supporting real businesses that isn't a good model - one reason I'd never use Google services in a business environment.

    As someone who codes business intranet web apps for desktop and mobile that make extensive use of Google APIs / toolkits (OAuth, Drive, Calendar, gmail), I beg to differ.

    A year ago Google's tech support and corporate customer sales staff were a joke. Today I can only sing their praises. Responsive, professional, effective, inexpensive.

    Compared to Apple, Microsoft, Oracle or any of the others - no comparison. Not even close.

    Google interoperates with multiple environments and platforms. Apple works with... Apple.

    The things our company does with Google services could never be done with iCloud.
  • Reply 19 of 70
    dewmedewme Posts: 1,492member
    I give Google credit for disclosing these instead of selling them to the highest bidder.
  • Reply 20 of 70
    xixo wrote: »
    Compared to Apple, Microsoft, Oracle or any of the others - no comparison. Not even close.

    Google interoperates with multiple environments and platforms. Apple works with... Apple.

    ROTFLMAO!!!

    I'm sorry, did you just lump the likes of Google's craptastic tech support into the same world as Apple?!

    Congratulations, you've just lost every last shred of my respect, and likely those of many others here.

    But, at least it gave me a really good chuckle on a Friday morning, needed that after a long week at work, thanks!
Sign In or Register to comment.