After exposing three critical zero-day vulnerabilities in Microsoft's Windows operating systems, Google's Project Zero vulnerability research program has revealed the existence of three more zero-day vulnerabilities, but this time, on Apple's OS X platform.
The team has published three zero-day exploits for Apple’s OS X, with sufficient information for an experienced hacker to exploit the bugs in an attack. Of course, the details about the zero-days were not released without alerting Apple to these issues.
FIRST ZERO-DAY VULNERABILITY
The first flaw, "OS X networkd 'effective_audit_token' XPC type confusion sandbox escape," allows an attacker to pass arbitrary commands to the networkd OS X system daemon because it does not check its input properly.
The flaw may already have been mitigated in OS X Yosemite, but there is no clear explanation of whether this is the case.
SECOND ZERO-DAY VULNERABILITY
The second and third vulnerability both are related to OS X's low-level I/OKit kernel framework.
The flaw, "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator," gives local users who can execute code on an OS X machine root or superuser access through null pointer dereferencing, allowing privilege escalation.
THIRD ZERO-DAY VULNERABILITY
The last but not the least, "OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice," gives an attacker the ability to write into kernel memory, potentially allowing them to crash systems or access private data.
All the three vulnerabilities in OS X don't appear to be highly critical as none of these exploits remotely, since all of them require physical access to the targeted computer in order to cause any real damage. However, the main concern is that the exploits could be combined with a separate exploit to elevate lower-level privileges and gain control over vulnerable Macs.
GOOGLE PROVIDED POC OF ALL THREE FLAWS
The team has also made proof-of-concept (POC) exploit code available, which provide enough technical details to write an attack code. Google privately reported the flaws to Apple on October 20, October 21, and October 23, 2014. After the expiration of the 90-day disclosure period, the company published all bugs.
GOOGLE’S PROJECT ZERO TEASED MICROSOFT
There is no surprise if Google's Project Zero has published vulnerabilities which are yet to be patched. In the past few weeks, the team has disclosed three separate security flaws in Microsoft's Windows operating system, before Microsoft planned to patch them.
Google's Project Zero is an initiative that identifies security holes in different software and calls on companies to publicly disclose and patch bugs within 90 days of discovering them. The company’s tight 90-days disclosure policy encourages all software vendors to patch their products before they get exploited by the hackers and cybercriminals.
Apple has not provided any details about repairing the issues. However, on the company's product security page, the iPad and iPhone maker states, Apple does not "disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available".