Google’s ‘Project Zero’ Zaps Apple As It Discloses Three OS X Vulnerabilities
Microsoft no longer needs to feel singled out by Google and its Project Zero team for disclosing multiple unpatched vulnerabilities in Windows. It wasn't personal, just an inflexible policy on the part of Project Zero to give companies a 90-day window to patch any vulnerabilities it finds before making them public. And now it's Apple that's in Project Zero's spotlight.
Project Zero has made public a trio of zero-day vulnerabilities discovered in Apple's OS X platform, releasing all the gory details of each one to the public after Apple failed to address them within the allotted 90-day windows.
None of the three vulnerabilities are considered critical. What's more, the first one involves the "networkd 'effective_audit_token' XPC" and may already be mitigated in OS X Yosemite, though the advisory isn't all that clear on this. Regardless, all three security holes requires an attacker to have access to a targeted Mac.
The issue at play here is whether or not Google and its Project Zero team are doing the right thing by disclosing unpatched security flaws, which leaves users more vulnerable to attack until a patch is rolled out. Those who support Project Zero's policy say that it's for the greater good and puts the pressure on companies on fix their software in a timely manner, while the opposing argument is Project Zero should be a little more flexible, especially in instances like Microsoft's where the company asked Google to keep the flaw under wraps for two more days so that it could include a fix with its Patch Tuesday updates.
As for Apple, Project Zero has discovered 35 security holes so far, most of which have either been fixed or deemed invalid.
Project Zero has made public a trio of zero-day vulnerabilities discovered in Apple's OS X platform, releasing all the gory details of each one to the public after Apple failed to address them within the allotted 90-day windows.
None of the three vulnerabilities are considered critical. What's more, the first one involves the "networkd 'effective_audit_token' XPC" and may already be mitigated in OS X Yosemite, though the advisory isn't all that clear on this. Regardless, all three security holes requires an attacker to have access to a targeted Mac.
The issue at play here is whether or not Google and its Project Zero team are doing the right thing by disclosing unpatched security flaws, which leaves users more vulnerable to attack until a patch is rolled out. Those who support Project Zero's policy say that it's for the greater good and puts the pressure on companies on fix their software in a timely manner, while the opposing argument is Project Zero should be a little more flexible, especially in instances like Microsoft's where the company asked Google to keep the flaw under wraps for two more days so that it could include a fix with its Patch Tuesday updates.
As for Apple, Project Zero has discovered 35 security holes so far, most of which have either been fixed or deemed invalid.
