Google’s Project Zero Has Found Three Exploits In Apple’s OS X
Google’s Project Zero team has been pretty busy since last few weeks, as it reported multiple flaws in Microsoft’s Windows operating system. Now, the security team has turned its attention to the other big name in the operating systems market — Apple.
The team has revealed multiple security flaws in OS X that could prove to be costly if not fixed. Three of these issues have been found and the team has dubbed them ‘Severe.’
The first flaw as reported by Project Zero team is “OS X networkd “effective_audit_token” XPC type confusion sandbox escape.” This issue could involve circumvention of commands in the network system.
The second flaw is “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator,” and the third, “OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice,” includes an exploit related to the kernel structure of OS X.
All of the vulnerabilities found by Project Zero security team are quite interesting, but one thing that is worth noting is that the attackers must have access to the targeted Mac for them to work. However, the attacker can change the privilege levels if he/she manages to exploit one of the vulnerabilities, thus taking over the whole machine.
The exploits are currently only reported to Apple, but there’s no confirmation from the company whether they have tried to get rid of these problems or not. The Project Zero has 90 days of deadline which it gives to the company of which the exploits have been found. After the time has passed, the company has the option to make all the data go public, and everyone can get the information.
Apple’s product security page has this to say about the exploits discovered:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and [a] mailing list.
As mentioned earlier, Google’s security team also found three major security flaws in Microsoft’s Windows Operating System, which had the potential of being exploited by the attackers.
Now that Apple has been given the details of the vulnerabilities, the iPhone maker has to take steps to fix them before the three months period because everything found will be published after that.