Sign up to our newsletter
Google’s Project Zero has released information on three as yet unpatched vulnerabilities in Apple’s OS X operating system, reports Ars Technica.
CNET describes the three exploits in detail. The first involves “circumvention of commands in the network system”, but may already be a non-issue for users on OS X Yosemite. The second documents “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator.” The final bug is an exploit relating to OS X’s kernel structure. All three of the exploits would requite an attacker to have access to a targeted Mac.
Engadget reports that Google notified Apple of the vulnerabilities back in October, but has automatically published details as part of Project Zero’s “usual 90-day cutoff period.”
As Apple’s security page states, the company does not comment on security issues until any threats are confirmed and dealt with, or dismissed as inaccurate: “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
The release of the unpatched vulnerability comes just weeks after Google’s Project Zero released details of a vulnerability in Microsoft’s Windows 8.1 operating system. At the time, Google faced some criticism for the automatic release of vulnerabilities, 90 days after disclosure, but security engineer Ben Hawkes defended the policy saying, “Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face.”
“With that said, we’re going to be monitoring the effects of this policy very closely … We’re happy to say that initial results have shown that the majority of the bugs that we have reported … get fixed under deadline, which is a testament to the hard work of the vendors,” he added.
Denys Prykhodov / Shutterstock.com
Author Alan Martin, ESET