Google logo (Photo : Reuters)
Google'Project Zero published three vulnerabilities of Apple's OS X, according to SMN Weekly.
The vulnerabilities will not allow hackers to get into the computers of unsuspecting Mac owners directly. The attacker will need to have access to a prospected Mac but coupled with other vulnerabilities, it could shoot up the attacker's privileges to cause damage to the Mac.
The first one is dubbed as "OS X networked effective_audit_token XPC type confusions sandbox escape."
The second flaw is called "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAcclerator." The last vulnerability is "OS X IOKit kernel memory corruption due to bad bzero in IOBlutoothDevice."
Google has reported the vulnerabilities to Apple but the flaws were not fixed. After 90 days, Google published it to the public since there are no resolutions done.
Apple's silent treatment is expected since their security page stated that security issues are not publicized and openly discussed for the protection of Apple clients. A thorough investigation must be done before any public release, CNet reported.
Aside from Apple, Project Zero published vulnerabilities from Microsoft before. Google followed the 90-day rule before they published the Windows bugs. However, Microsoft was disappointed since they wanted to release a patch two days before the bugs were publicized.
To add fuel to the fire, Microsoft said that Google was aware of their plan to release a patch but the latter went ahead with publishing the bugs. Microsoft released a statement saying they believe in "Coordinated Vulnerability Disclosure," which means that researchers and vendors should agree about the limitations of public disclosure in order to protect clients and prevent further damage from attackers.
Microsoft added that they requested Google to work with them but the latter's decision was "more like a 'gotcha', with customers the ones who may suffer as a result." Microsoft declared that they encourage Google to make protecting the customers as their main goal.
Project Zero is an initiative from Google to help customers be fearless in using the World Wide Web. For the most part, the project's aim is to research for attacks that may harm the clients' computer and trespass their privacies.
As of this time, Apple has not released an official statement similar to Microsoft about the vulnerabilities discovered by Project Zero.
