Google’s Project Zero security team has revealed three vulnerabilities found in Apple’s OS X. Project Zero has a policy that simply states the software maker has 30 days in order to fix the bug or it will be made public. The reasoning is that in 30 days a company should be able to resolve any serious threats and if not this will motivate them to get it done.
These vulnerabilities are definitely not the end all be all of computer vulnerabilities, but they can be quite troublesome. The first flaw that has been dubbed “OS X networkd”effective_audit_token” XPC type confusion sandbox escape,” would allow someone to get around network settings that are set on the computer.
The second vulnerability code named “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator” would allow a hacker to run a program and set it as a priority over all other items on the computer.
The third vulnerability “OS X IOKit kernel memory corruption due to bad zero in IOBluetoothDevice” is an exploit to the OS X kernel structure.
A potential attacker could use these vulnerabilities to raise their privilege levels effectively letting them take control of the computer.
An interesting note on Apple’s product security page states that:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below.
Google has been known to publish vulnerabilities as it has done so in the past to Micosoft, as well as other companies. In most cases, they are fixed before Google has the chance to publish them but it would appear Apple has yet to address this issue.