Ars Technica reports that Google’s Project Zero team has made public three security vulnerabilities found in Mac OS X. Fortunately, Apple has been made aware of the issues prior to their public release and has already fixed one of the vulnerabilities while the other two will be fixed in the upcoming release of Mac OS X Yosemite 10.10.2 which is currently in beta.
Project Zero is a white hat hacking group formed and funded by Google that attempts to breach the security of all major systems that everyday users depend on. Once the group finds a system vulnerability, they get in touch with the company that maintains the software, informs them of the problem and even gives them proof-of-concept source code that demonstrates the issue. The developers of the software product then have three months to implement patches and release them to their customers. As soon as the three months expire, Project Zero publishes the “0day” vulnerability on their website along with the proof-of-concept source code.
Apple is not the only company that has had their vulnerabilities publicly released. Microsoft has also recently experienced the uncomfortable situation of having unpatched Windows bugs in the wild. Fortunately for Apple customers, the issues discovered by the Project Zero team are rather isolated since they require the attacker to have local access to the Mac. In other words, either someone needs to have physical access to your machine in order to hack it, or they need to combine the 0day exploits with other vulnerabilities that will grant them local access.
The three exploits found by the Project Zero team are the following:
– The first issue has to do with a sandbox bug.
– The second vulnerability exposes an exploitable NULL pointer in the kernel.
– The third 0day bug has do to with a security loophole in Apple’s Bluetooth stack.
Leaving aside whether it’s good of the Project Zero team to publicly release information about vulnerabilities that will soon be patched, these recent events have once again raised the question: Is Apple doing too many things at once and not devoting enough time to solidify the performance and security of its platforms?
A growing number of users support the opinion that Apple has too many balls in the air and the amount of time it can spend on each one is very limited. Between the annual software release cycles of iOS and OS X (and possibly Watch OS going forward), Apple engineers have less and less time to iron out bugs and streamline the operation of the operating systems. The solution brought forward is that Apple needs to take a year during which to focus not on new features, but on making sure that all the features and functionality “just work”. We’ve already seen the Cupertino company do this with the move from Mac OS X Leopard to Mac OS X Snow Leopard.