Project Zero has done it again: Google's private security research team has discovered and disclosed three zero-day flaws in Apple's OS X platform — before Apple patched them.
The three flaws are all relatively low-level. To exploit them in real life, attackers would need some sort of pre-established access to the target's computer. But Google's decision to disclose the flaws before a patch was ready shows how serious the company is about its Project Zero initiative, and what that commitment means for its rivals.
The three flaws are documented on Project Zero's website. One pertains to OS X's "effective audit token" (and may already be fixed in OS X Yosemite); one has to do with a null pointer that was causing a kernel code flaw; and another has to do with kernel memory corruption. Google says it informed Apple of the flaws on Oct. 20, 21 and 23 of 2014, respectively; Project Zero gives companies 90 days after notification to patch flaws.
Apple has not commented about the flaws or when they might be patched. The company rarely speaks about security issues.
Project Zero is a team of Google security researchers whose sole job is to scour software and the Web, no matter who makes the software, for serious security flaws. Many independent researchers make a living doing just this, collecting the "bug bounties" that software companies offer in exchange for being notified about these often-elusive security holes.
Thus far Project Zero has been quite successful, which seems to have caused a few headaches in the rest of the tech space.
Earlier this month, Project Zero disclosed three flaws in Microsoft software. Microsoft wasn't pleased.
"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," wrote Microsoft's Chris Betz in a Jan. 11 blog post on the Microsoft Security Response Center.
When Project Zero finds a flaw in a piece of software, its policy is to privately inform the software developers, and then give the developers 90 days to fix it. After that window, the bug becomes public knowledge, informing both the users of the software who need to protect themselves and malicious hackers who might pounce on the information to exploit the flaw.
Project Zero holds strictly to its 90-day grace period, and so far has not granted any known exemptions. That may sound callous, but the longer a flaw exists, the higher the chance clever criminals or cyberspies might discover it on their own.
- 10 Simple Tips to Avoid Identity Theft
- How to Stay Safe on Public Wi-Fi
- 7 Ways to Lock Down Your Online Privacy
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.