Google's Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple's OS X operating system for the Mac. These exploits are all fixed in OS X Yosemite 10.10.2, now in beta. Here's a report on the vulnerabilities from Ars Technica:
In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.
These vulnerabilities were reported to Apple in October of 2014 and made public as part of Google Zero Day's 90 day disclosure policy. (You can argue the merit of that policy in the comments below.)
None of these exploits can be used remotely, which means they'd need to be combined with remote exploits or with physical access to the hardware to be put to any practical use.
The first vulnerability, 130, which could result in privilege escalation, contains the following comment:
See https://code.google.com/p/google-security-research/issues/detail?id=121 for a discussion of mitigations applied in Yosemite.
It includes the following:
Apple added some hardening to libxpc in Yosemite - xpc_data_get_bytes now has the following check: [list of checks]
That vulnerability, 121, is marked as fixed and closed as of January 8.
Status: Fixed
Closed: Jan 8
This could indicate the 130 vulnerability is also no longer an issue for people running Yosemite.
What's more, based on the latest build of OS X 10.10.2, seeded yesterday to developers, Apple has already fixed all of the vulnerabilities listed above. That means the fixes will be available to everyone running Yosemite as soon as 10.10.2 goes into general availability.
Nick Arnott contributed to this article.
Updated with reference to vulnerability 121.
We may earn a commission for purchases using our links. Learn more.
Review: Free Your Tea Subscription Box is personalized just for your tastes
The Free Your Tea Subscription Box uses a number of methods to get you your perfect blend of teas each month.
Forrest Gump's $100k in Apple stock is now worth almost $49 billion
Forrest Gump hit theaters this week 26 years ago. If Gump's $100,000 investment in Apple Computer was real it'd now net him a cool $48.6 billion.
U.S. considering TikTok ban, says Pompeo
The U.S. Secretary of State Mike Pompeo says that the government is 'certainly looking into' banning TikTok and other Chinese social media platforms in the U.S.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.
