[Infowarrior] - Google drops three OS X 0days on Apple

[Richard Forno]

Google drops three OS X 0days on Apple

Disclosures provide enough detail for skilled hackers to write their own exploits.

by Dan Goodin - Jan 22 2015, 7:38pm EST

http://arstechnica.com/security/2015/01/google-drops-three-os-x-0days-on-apple/

Don't look now, but Google's Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple's OS X platform.

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.

Assuming the vulnerabilities remain active in at least some versions of OS X, it wouldn't be the first time Project Zero has gone against a developer's wishes and made unfixed security bugs known to the whole world. The Google-backed program has already published three unpatched vulnerabilities in Windows.
--
It's better to burn out than fade away.