Google Roasts Apple, Discloses 3 OS X Bugs

Project Zero has done it again: Google's private security research team has discovered and disclosed three zero-day flaws in Apple's OS X platform — before Apple patched them.

The three flaws are all relatively low-level. To exploit them in real life, attackers would need some sort of pre-established access to the target's computer. But Google's decision to disclose the flaws before a patch was ready shows how serious the company is about its Project Zero initiative, and what that commitment means for its rivals.

MORE: Best Antivirus Software for Mac

The three flaws are documented on Project Zero's website. One pertains to OS X's "effective audit token" (and may already be fixed in OS X Yosemite); one has to do with a null pointer that was causing a kernel code flaw; and another has to do with kernel memory corruption.  Google says it informed Apple of the flaws on Oct. 20, 21 and 23 of 2014, respectively; Project Zero gives companies 90 days after notification to patch flaws.

Apple has not commented about the flaws or when they might be patched. The company rarely speaks about security issues.

Project Zero is a team of Google security researchers whose sole job is to scour software and the Web, no matter who makes the software, for serious security flaws. Many independent researchers make a living doing just this, collecting the "bug bounties" that software companies offer in exchange for being notified about these often-elusive security holes.

Thus far Project Zero has been quite successful, which seems to have caused a few headaches in the rest of the tech space.

Earlier this month, Project Zero disclosed three flaws in Microsoft software. Microsoft wasn't pleased.

"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," wrote Microsoft's Chris Betz in a Jan. 11 blog post on the Microsoft Security Response Center.

When Project Zero finds a flaw in a piece of software, its policy is to privately inform the software developers, and then give the developers 90 days to fix it. After that window, the bug becomes public knowledge, informing both the users of the software who need to protect themselves and malicious hackers who might pounce on the information to exploit the flaw.

Project Zero holds strictly to its 90-day grace period, and so far has not granted any known exemptions. That may sound callous, but the longer a flaw exists, the higher the chance clever criminals or cyberspies might discover it on their own.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • phatboe
    I wonder if Google is intentionally Targeting MS and Apple due to them constantly bullying Google Android Partners over IP disagreements over android devices.
  • derekullo
    The other side of the coin is Microsoft and Apple software has the most bugs.

    Not bashing them. Just saying an operating system has a lot of lines of code.
  • DarkSable
    Guys, Google isn't targeting anybody. They're giving the owners of any bugs they find AMPLE time to fix them, and these companies aren't fixing serious bugs in a reasonable amount of time, then are complaining when the information is released...

    This grace period is a standard practice in the industry, and is a decent balance between announcing the bugs (And letting hackers in before the company has a chance to fix them) and only telling the company, letting them not ever fix it if they don't care to.
  • Jill Scharr
    Hi everyone, thanks for your comments! From my experience, I agree with DarkSable: Project Zero is probably looking at the most commonly used software in an effort to find bugs that would potentially affect the greatest number of people, and Microsoft and Apple are certainly at the top of that list. The grace period for bug disclosure is standard practice. Apple's and Microsoft's sheer size count both for and against them in terms of being able to patch issues in a timely manner, but my understanding is that 90 days is not an unreasonably short amount of time.
    "..attackers would need some sort of pre-established access to the targets computer."

    You should have found the security flaw that does that first, and then post this ridiculous attack piece on Apple.
  • plasmastorm
    Good guy google?

    Time will tell.
  • The_Bytemaster
    These days, most of the big bugs seem to still be found in Adobe software, such as Flash and Acrobat Reader.

    That said, they should give them a little wiggle room on the 90 Days. The Microsoft case was rediculous as Microsoft had the patch ready and was releasing on their next patch day, which was just a couple of days beyond the 90 days. It is proven that if you rush litle patches that in causes chaos in IT organizations and can sometimes lead to worse unpatched scenerios. Not granting them the extra couple of days did no body a service except Google.
  • therickmu25
    I'm sorry but who is Google to determine other companies timelines and guidlines for fixing problems?
    Wasn't the problem with Micrsoft with the 'Kernel' in their code? Something like that would need to be quality checked beyond quality checked since it trickles down to every product that uses the software.

    This whole, "they gave them reasonable time" is garbage because you don't know what the project fully entailed and neither does Google because they don't work for Microsoft or Apple and know 1. their workload, 2. What projects are fully prioritized in their day to day tasks. Completely un-professional but what would you expect from smug 20- 30 year old somethings who wear shorts and flip-flops to work and all make over $100k a year.
  • SnakeV943
    You can tell Google is getting desperate.
  • eklipz330
    how is this in anyway a form of desperation? they have nothing to gain from doing this. they are using money from their own pocket to find security issues in other products.

    it's only a benefit to them IN PUBLICITY ONLY if they refuse to patch it. otherwise, there is nothing to gain.