Google's Project Zero targets OS X with three new exploits
Google's Project Zero has released more 0day vulnerabilities, and is this time aiming for Apple. Over the past few days, Project Zero has slowly released some exploits found in OS X Yosemite. The vulnerability exposure team at Google first provides their findings to the company in charge of the software. After that time, they've got 90 days to fix it before Google's Project Zero team publishes it to the world. While Microsoft was responsive to Google's release, Apple is much more tight-lipped.
When Project Zero released info about a vulnerability in Windows, Microsoft clapped back, damning the program's purpose. According to Microsoft, their vulnerability info leaking was in bad taste, and could result in more trouble that it solved.
Apple, on the other hand, hasn't said a word about the vulnerabilities released by Google's Project Zero. Ars Technica believes Apple has already patched at least one of the exploits, but Apple doesn't comment on such things publicly.
The problem with the released exploits is that they could provide a blueprint for black-hat success. Project Zero releases their proof-of-concept code to 'show their work', so to speak, but in doing so might just open up a can of worms. When you lay out how you achieved an exploit, you're also giving a crash course in how to repeat the effort, or (possibly) worse — modify it.
The Windows exploits exposed by Project Zero remain un-patched. As for those on OS X, it's not clear if they're old news or in the fix pipeline at Apple. What is clear here is that the crowd paying attention to these exploits has a very mixed reaction to whether or not Google is being helpful or harmful.
Via: Ars Technica