Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]
An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown.
Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.
At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures --?which also include proof-of-concept code -- were first noticed by ArsTechnica.
Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.
As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable --?meaning a malicious actor would already need access to a machine?--?but they could be used in combination with other attacks to escalate the attacker's privileges.
Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
Update: Apple's forthcoming OS X 10.10.2 update will contain patches for the IOKit vulnerabilities reported on Friday, according to iMore.
At issue are OS X's networkd and IOKit, which is responsible for two separate cases. The disclosures --?which also include proof-of-concept code -- were first noticed by ArsTechnica.
Project Zero researchers reported the vulnerabilities to Apple last October, and at least one of the problems appears to have been mitigated in OS X Yosemite. The disposition of the remaining two is unclear; they were publicly disclosed 90 days after being reported, which is standard operating procedure for Project Zero.
As noted by Ars, none of the vulnerabilities appear to be directly remotely exploitable --?meaning a malicious actor would already need access to a machine?--?but they could be used in combination with other attacks to escalate the attacker's privileges.
Project Zero is a small group within Google tasked with testing and discovering vulnerabilities in commercial software. The team has already revealed three other flaws in OS X and at least that many in Microsoft's Windows, and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch.
Comments
That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
I wonder how many zero-day exploits they'd find in Android. Maybe they should turn their attention to that.
That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
I believe their job is to investigate issues in software the Google engineering group encounters when interacting with other products while issues within Android are handled directly by that dept, but I could be wrong as I haven't done much digging into them.
It's a love-hate. They do great and important work, but they are also very willing to skirt the edge of ethical public disclosure for what they see is the greater good (forcing developers to patch their code). Unfortunately, though, these things aren't often black and white and I'm sure many scenarios that pass the 90 day "limit" are in that grey zone.
And 35 other bugs that Project Zero notified Apple about and were fixed.
And 35 other bugs that Project Zero notified Apple about and where fixed.
were, not where
Comment on a blog....not english class!
Google is a joke. They don't care about compatibility issues or stability, so they live in a fantasy world where you can shove a patch out the door whenever you want. Real companies like Microsoft and Apple have to do actual testing of patches, whereas Google claims every product is a beta, so no one can complain it doesn't work.
And there probably isn't a database large enough to hold all of Android's exploits and flaws.
They just stop supporting if when it gets overwhelming.
Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?
While this division does serve a worthy purpose, lately they have been putting end-users safety in jeopardy by releasing technical details of these discovered exploits before letting the manufacturers patch them. Though it has been 90 days, they should've reached out to Apple (and Microsoft for another instance like this over the last few days) and attempted to clarify if a patch was indeed in the works, and perhaps adjusting the release of this information to after the patch release date.
Their actions are unethical, but then again, this is Google we're talking about here...
"and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."
Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?
Microsoft had a patch, but they also have a monthly patch cycle demanded by their business clients. Microsoft asked for a 2 day extension so the patch would be available when announced but Google went ahead and released the information anyway.
For a company that just lives in a continuous Beta cycle maybe it is ok to just dump out patches whenever. For a company that is supporting real businesses that isn't a good model - one reason I'd never use Google services in a business environment.
NVM. Nothing gained from replying
Are you one of the developers on the Windows or OS X teams? Do you know how complex it must be to patch a piece of software that is comprised of MILLIONS of lines of code? Do you know how much testing must be done to ensure it doesn't break a product used by MILLIONS of business and consumers around the entire planet? I highly doubt it, so what makes you think you (or even anyone here, including myself for that matter) can make such pretentious and assuming comments without ZERO foundational knowledge?
Another thing, Microsoft was just THREE DAYS away from releasing the patch in that case, and had requested an appropriate extension, instead Google thumbed their nose at the safety of end users, and released the exploit into the wild before MS was ready. That is completely unacceptable. In the case of Apple, again, we don't know how complex this issue was to fix, or how much time they needed to test the fix to ensure they didn't cause any additional issues as a result.
Come on. Let's give Google a little lovin'!
http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html
How many of these are 1000-day exploits? How many Android handset owners haven't any opportunity (or clue how) to patch them?
As someone who codes business intranet web apps for desktop and mobile that make extensive use of Google APIs / toolkits (OAuth, Drive, Calendar, gmail), I beg to differ.
A year ago Google's tech support and corporate customer sales staff were a joke. Today I can only sing their praises. Responsive, professional, effective, inexpensive.
Compared to Apple, Microsoft, Oracle or any of the others - no comparison. Not even close.
Google interoperates with multiple environments and platforms. Apple works with... Apple.
The things our company does with Google services could never be done with iCloud.
ROTFLMAO!!!
I'm sorry, did you just lump the likes of Google's craptastic tech support into the same world as Apple?!
Congratulations, you've just lost every last shred of my respect, and likely those of many others here.
But, at least it gave me a really good chuckle on a Friday morning, needed that after a long week at work, thanks!