Google's Project Zero security team have revealed the existence of three zero-day vulnerabilities found in Apple's OS X, following the disclosure of flaws in Microsoft's Windows operating system.
Over the past several days, the tech giant's Project Zero scheme has released details concerning three OS X security issues the team have dubbed severe.
The first flaw, "OS X networkd "effective_audit_token" XPC type confusion sandbox escape," which involves circumvention of commands in the network system, may be mitigated in OS X Yosemite, but there is no clear explaination of whether this is the case. The second vulnerability documents "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator," and finally, the third, "OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice." includes an exploit related to OS X's kernel structure.
While each flaw requires an attacker to have access to a targeted Mac, each vulnerability could contribute to a successful attempt to elevate privilege levels and take over a machine. Each vulnerability disclosure, as with any disclosed by the Project Zero team, includes a proof-of-concept exploit.
The vulnerabilities have been reported to Apple but the flaws have not been fixed. Once Project Zero's 90-day deadline passes, details of vulnerabilities found in systems are automatically released into the public domain.
On Apple's product security page, the iPad and iPhone maker states:
"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and [a] mailing list."
This isn't the first time Google's Project Zero has published vulnerabilities which are yet to be fixed. In the past several weeks, the tech giant's security team has published three separate security flaws in Microsoft's Windows operating system, which were unpatched at the time.
Read on: In the world of security
- Most US businesses vulnerable to insider threats
- Over 90 percent of data breaches in first half of 2014 were preventable
- Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
- Mobile malware on the rise worldwide, ransomware hits the spotlight
- Verizon rushes fix for email account open season security flaw
- Microsoft Outlook hacked following Gmail block in China
- High volume DDoS attacks rise in Q3 2014
- Hackers for hire: Anonymous, quick, and not necessarily illegal
- UK hires hackers, convicts to defend corporate networks
- ZeuS variant strikes 150 banks worldwide
Read on: Fixes and Flaws