Latest OS X 10.10.2 beta kills Google-disclosed zero-day vulnerabilities

“Google’s Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple’s OS X operating system for the Mac,” Rene Ritchie reports for iMore. “These exploits are all fixed in OS X Yosemite 10.10.2, now in beta.”

“These vulnerabilities were reported to Apple in October of 2014 and made public as part of Google Zero Day’s 90 day disclosure policy,” Ritchie reports. “None of these exploits can be used remotely, which means they’d need to be combined with remote exploits or with physical access to the hardware to be put to any practical use.”

Read more in the full article here.

Related article:
Google drops three OS X zero-day vulnerabilities on Apple – January 23, 2015


  1. It is “interesting” that Google is exposing, to the public, security holes under this 90 day “zero-day’ policy for virtually every operating system BUTtheir own. AND, they don’t clearly differentiate between those that require advanced knowledge plus physical access (in the real world not very dangerous) versus those that can be implemented remotely with little user knowledge (in the real world very dangerous).

    This is just a publicity stunt by Google. They’re trying to yell, “See all those non Google guys have huge security problems! We don’t!” They’re trying to frame it as a “public service”, but what service are they providing other than an attempt at free advertising for themselves.

    Oh wait… For a moment I forgot.

    Google is ALL about advertising with little or no substance at all.

    My bad.

    1. Sorry, that’s like asking why doesn’t Apple or Microsoft regularly report security holes in their own products. Google has this project partly to protect its own interests on the OSes which are the usual foundations Google products run on.

    2. This is just a publicity stunt by Google

      That is indeed part of the point. I’m grateful for any white hat hacker. But Google is also making it inadvertently clear that it doesn’t give a rat’s about its own operating system, Android. Hippo hypocrisy. [That’s my newly invented phrase of the day!] 😛

  2. Unfortunately, the retard masses will continue their sycophantic love for google’s “free” products that suck money for their data like a leech sucks blood.

    Ignorance is bliss. Americans are some of the most unsophisticated creatures on the planet.

    1. Who is being ignorant.. It has been 90 days since it was reported to Apple by Google. Only now do we hear about Apple having fixed it in their latest OS update. Doesn’t it seem reasonable that Apple only became aware of the exploits thanks to Google’s project? The exploit was probably made public because of Apple’s usual policy of keeping to itself and not letting Google know that they fixed it.

      1. You are the ignorant. “Zero day” means that it is an EXISTING issue, not something that suddenly came up 90 days ago just because Google told Apple. Since no hacker has exploited them already (before it was “known”), AND “None of these exploits can be used remotely, which means they’d need to be combined with remote exploits or with physical access to the hardware,” Apple deemed it NOT urgent. The fix is going to be included in the next planned system update, which is 10.10.2.

  3. I can’t tell you how many times I tried to open this page on my iPhone, each time getting bounced out by some shitty ad. That’s it for me, I’m off to some other site to get my, ahem, ‘news’. MDN can poke it up their ass.

    1. MDN has control over what advertising and scripting is placed on its own pages. Why it can’t figure out that Bait & Switch means (A) Lost readers and (B) Lost revenue, I cannot comprehend. It’s bad marketing, DUH. I’d be sorry to lose this website because of USER ABUSE.

  4. Much as I respect René Richie, this is just speculation:

    What’s more, based on the latest build of OS X 10.10.2, seeded yesterday to developers, Apple has already fixed all of the vulnerabilities listed above.

    From my reading/research, no one is claiming that the last two (135 and 136) of the ‘zero-days’ (or whatever you want to call them) have been patched in the latest beta of 10.10.2. René is setting himself up to be quoted as saying they WERE patched, when he actually CANNOT. That’s not a good situation. Careful please!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.