Google's Project Zero reveals three Apple OS X zero-day vulnerabilities

Google's security team has disclosed three separate zero-day vulnerabilities on Apple's OS X platform. It seems annoying Microsoft wasn't enough.
Written by Charlie Osborne, Contributing Writer

Google's Project Zero security team have revealed the existence of three zero-day vulnerabilities found in Apple's OS X, following the disclosure of flaws in Microsoft's Windows operating system.

Over the past several days, the tech giant's Project Zero scheme has released details concerning three OS X security issues the team have dubbed severe.

The first flaw, "OS X networkd "effective_audit_token" XPC type confusion sandbox escape," which involves circumvention of commands in the network system, may be mitigated in OS X Yosemite, but there is no clear explaination of whether this is the case. The second vulnerability documents "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator," and finally, the third, "OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice." includes an exploit related to OS X's kernel structure.

While each flaw requires an attacker to have access to a targeted Mac, each vulnerability could contribute to a successful attempt to elevate privilege levels and take over a machine. Each vulnerability disclosure, as with any disclosed by the Project Zero team, includes a proof-of-concept exploit.

The vulnerabilities have been reported to Apple but the flaws have not been fixed. Once Project Zero's 90-day deadline passes, details of vulnerabilities found in systems are automatically released into the public domain.

On Apple's product security page, the iPad and iPhone maker states:

"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and [a] mailing list."

This isn't the first time Google's Project Zero has published vulnerabilities which are yet to be fixed. In the past several weeks, the tech giant's security team has published three separate security flaws in Microsoft's Windows operating system, which were unpatched at the time.

Read on: Microsoft slams Google for spilling the beans on Windows 8.1 security flaw | Microsoft fumes, Google discloses another Windows security flaw

Read on: In the world of security


Read on: Fixes and Flaws

Editorial standards