Google drops three OS X zero-day vulnerabilities on Apple

“Don’t look now, but Google’s Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple’s OS X platform,” Dan Goodin reports for Ars Technica. “”

“In the past two days, Project Zero has disclosed [three] OS X vulnerabilities,” Goodin reports. “At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine.”

‘Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs,” Goodin reports. “And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities.”

Read more in the full article here.


  1. None of them are zero-day vulnerabilities, since they were discovered and reported 90+ days ago. And all of these vulnerabilities require access to the machine in question. Hardly anything worthy of causing panic or even serious concern.

    Click bait headline fail.

    1. INCORRECT. By definition, a zero-day vulnerability is one that is active and new IN PUBLIC on the day it is revealed.

      But yes, these three (probably only two are actually active) all require direct access to the Mac. And I agree, they are NOT worth a panic.

      And NO, this isn’t click bait. This is how zero-day security vulnerabilities are made public.

      However, I don’t hold with Google sticking itself on a pedestal as a great discoverer of security vulnerabilities when Google’s Android’s security is a HORROR of still growing proportions. As I’ve suggested to Google elsewhere: How about throwing stones in your own glass house and not just everyone else’s? Google is intensely insipid regarding its own software security. Idiotic.

      1. The very definition of a “zero-day vulnerability” is that is made public _before_ the vendor (in the case Apple) knows about it. But that’s not so with Google’s Project Zero… Apple was notified 90 days in advance of the public announcement. Google is just using the term “Project Zero” because it sounds cool, nothing more.

        1. As per my experience with the security community, we have a DIFFERENT definition for same thing. If it’s made public before it’s fixed, it’s a zero-day. It’s that simple. But my adherence to strict definitions isn’t going to change the world, obviously.

          1. “But my adherence to strict definitions isn’t going to change the world, obviously.”

            No, but I think it’s worth being clear here and having an accepted universally agreed upon definition.

            Wikipedia agrees with your definition:

            “A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch. It is called a “zero-day” because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a “zero-day exploit”. It is common for individuals or companies who discover zero-day attacks to sell them to government agencies for use in cyberwarfare.

            If someone has a different definition, they should submit it for Wikipedia review or reconsider what their definition is.

            Also, I would argue the usefulness of coolfactor’s definition. If a threat is in the public, I don’t care so much if the vendor knows about it as much as I care if there’s a patch. Likewise, once a threat is announced, the vendor would know about it, thus any announcement of a zero-day threat becomes an oxymoron.

            1. Even Wikipedia isn’t being clear here. What are we supposed to make of this sentence?

              It is called a “zero-day” because the programmer has had zero days to fix the flaw (in other words, a patch is not available).

              Saying ‘a patch is not available’ is, for me the entire point of calling it a zero-day. I don’t agree with throwing in the concept that the developer has had ‘zero days’ to patch it.

              But note that I’m an observer attempting to make sense of everything I experience. If there is a colliding pair of ‘zero-day’ definitions, I just get to watch. All I know is that Dan Goodin, whom I respect immensely, is using ‘zero-day’ as I have learned to use it in my travels.

            2. I think what Wikipedia is getting at is more clear after the next sentence, and that is once the patch is available, it’s no longer zero-day. IOW, it doesn’t become zero-day once the vendor knows about it.

            3. Obsessing On Topic: FireEye is a security company recently made famous for having identified the server network and POS infections at Target which were entirely ignored until over 100 million user accounts had been stolen. Good on FireEye, bad on stupid Target.

              Here is what FireEye has to say about zero-days:

              When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.

              This follows what I’ve been taught about zero-days. But as they point out: confusion.


            4. I should also be a total snothead and point out that if Apple had managed to patch these security holes in 90 days, as they certainly should have, we wouldn’t be discussing this at all.
              *Boot In Apple’s Arse*

      2. I understood Google’s Project Zero to be looking out for vulnerabilities in many software/hardware sources. It would be highly myopic to think that they are only focused on discovering vulnerabilities in other companies products. It’s probably only making news because it’s something to do with Apple and knocking on their reputation for being bug/malware free. (or at least to the poiint of being negligible)

        1. EXACTLY. Google has been pulling the same crap on Microsoft and other software vendors. There was a big brouhaha last week when Google revealed a series of Microsoft vulnerabilities 90 days after Microsoft had been informed. Now they get to play the same game with Apple.

          Google fiddles while Android security BURNS. Idiotic. 😛

  2. “And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities.”
    Gee…thanks Google, that’s just dandy.
    At least now we know that Project Zero is just a scumbag group of ‘black hat’ hackers.
    *I may be jumping the gun – Google might have notified Apple previously, but it doesn’t read that way.

    1. Posting exploit code is entirely standard when revealing zero-day vulnerabilities. Despite Google’s insincerity about their own security, this is standard practice.

      And NO, this is NOT ‘black hat’ hacking. This is strictly white hat hacking, all according to standard, as I pointed out above.

      YES, Google notified Apple about these vulnerabilities, probably providing exploit code as well, exactly 90 days ago. 90 days is again entirely standard for white hat hacking.

      I can’t blame anyone for not understanding the computer security community and its ways. It not only has a high level of difficulty regarding comprehension, but some absolutely idiotic things are done within that community that may benefit one clown but is detrimental to everyone else. One of the most frustrating ‘standard’ practices is having multiple anti-malware discovers and companies use multiple names for exactly the same thing. The ‘standard’ lack of professional behavior within that community drives me nuts.

      1. Well thanks for patronising me Derek, I really needed to suck eggs…but you obviously didn’t read the bit about me ‘possibly, jumping the gun. The article didn’t mention that this had been previously disclosed so I went from there.

        1. It’s certainly not your fault if a writer don’t make themselves clear.

          Dan Goodin, like myself, has been following these ‘zero-day’ revelations over time. We know Google (and others) always offer 90 days for the developer to fix the problem. Dan is writing for advanced end people in the computer security community. So he’s assuming his readers are ‘in the groove’ like he is.

          I write for average folks, so I attempt to spend time trying to explain the background and context.

  3. Apple has been sitting on other zero-days as well. My guestimate is that there are currently 5 zero-day vulnerabilities pending for Apple to fix. One of those reported today by Google ‘may’ have been patched in Yosemite. But we don’t actually know. (o_O) Obviously, that’s not a good place to be. Hello Apple?!

    BTW: If you still use the Internet Adobe Flash plug-in, UPDATE NOW! The Flash update from two weeks ago, as well as every earlier version of Flash, has a massive security hole being exploited in the wild. The current version of Flash you should be running is v16.0.0.287. (NOT v16.0.0.257!!!)

    You can check what version of the Flash Player.plugin file you’re using here:
    /Library/Internet Plug-ins/

    I wrote up an article about this current Flash exploit as well as a series of steps we can use to protect ourselves from Adobe’s crapware known as Flash:

  4. Apple has those vulnerabilities closed with the latest 10.10.2 beta update which should be released soon I would imagine.
    Oh and since you need physical access to your computer to have anyone try these hacks I wouldn’t be that concerned about it. Also they would have to know your admin user and password to get into your computer first.

    1. Depending on the exploit, the attack may actually involve something as simple as a user plugging in a peripheral. Especially if it is something that does not require permission by a sysadmin to administer. In the past before any network existed (yes, sneakernet) viruses/malware was spread via floppys.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.