Google Project Zero Reveals Mac OS Zero-Day Flaws

Tom Jowitt,
MacOS

Google research team reveals three serious Mac OS flaws, after Apple fails to respond with fixes

Google’s Project Zero security team continues to ruffle feathers after it went public with a number of flaws with Apple’s Mac OS X operating system, after the iPad maker failed to respond with fixes.

The flaws are so serious that the could allow a hacker to elevate privilege levels and take over a machine. However, access is required to the target Mac OS machine.

Project Zero

Google revealed its Project Zero security team to the world last July. The remit of the team was to find and fix critical vulnerabilities in anyone’s technology, not just Google’s, before they can be used in cyber attacks.

security vulnerability Shutterstock - © Andy Dean PhotographyThe team drew criticism earlier this month when it revealed a flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges. The vulnerability was apparently reported to Microsoft privately on 30 September, but after the bug was not fixed in 90 days, the team went public, presumably in the hope that it would pressure Microsoft into releasing an update.

Now the same thing has happened to Apple, although this time the team have discovered not one problem, but three serious vulnerabilities. It has now gone public with the flaws, after Apple failed to respond with the necessary fixes in a 90 day period.

Apple does not comment, confirm or discuss security problems until a full investigation has taken place.

The flaws were apparently disclosed to Apple on October 20, 21, and 23. The first flaw is to do with the OS X networkd system daemon. The second concerns OS X IOKit kernel code execution and the third is about OS X IOKit kernel memory corruption.

Apple Flaws

Apple has a good reputation overall when it comes to security, but it does have vulnerabilities.

Late last year for example, it emerged that Apple was working on a patch for a serious vulnerability, called “Rootpipe”. That flaw reportedly gives hackers admin privileges on a compromised Mac. To make matters worse, the hackers can exploit the flaw to give themselves the highest admin level, known as root access.

Last July Apple fixed a number of bugs and security flaws in an update to OS X Mavericks, and there have been many other flaws and vulnerabilities over the years as well.

In 2012, Apple was criticised by security researchers who claimed it did not react fast enough to kill off a prevalent malware strain, called Flashback.

How well do you know network security? Try our quiz and find out!