Latest OS X 10.10.2 build features Google Project Zero discoveries/fixes

Posted by:
Date: Friday, January 23rd, 2015, 10:23
Category: News, security, Software

yosemitelogo

If Yosemite is driving you a bit crazy, the good news is that the upcoming version won’t feature any bugs that have been pinned down by Google.

Per iMore and Ars Technica, Google’s Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple’s OS X operating system for the Mac. It should be noted, however, that the first vulnerability was marked as fixed and closed by Google two weeks ago, and the others are fixed in OS X Yosemite 10.10.2, now in beta.


Here’s a report on the vulnerabilities as they stand:

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What’s more, the first vulnerability, the one involving the “networkd ‘effective_audit_token’ XPC,” may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn’t make this explicit and Apple doesn’t publicly discuss security matters with reporters.

None of these exploits are remote either, which means they’d need to be combined with a remote exploit, or physical access to the hardware would be needed, before they could be put to any practical use.

Also, again, the first exploit, which could result in privilege escalation, was marked as fixed and closed by Project Zero on January 8. Based on the latest build of OS X 10.10.2, seeded yesterday to developers, Apple has also already fixed both of the remaining vulnerabilities.

That means the fixes will be available to everyone running Yosemite as soon as that update goes into general availability.

Stay tuned for additional details as they become available.

Recent Posts

Comments are closed.