Don’t look now, but Google’s Project Zero vulnerability research program may have dropped more zero-day vulnerabilities – this time on Apple’s OS X platform.
In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What’s more, the first vulnerability, the one involving the “networkd ‘effective_audit_token’ XPC,” may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn’t make this explicit and Apple doesn’t publicly discuss security matters with reporters.
You’d think a writer at Ars Technica was aware of what a zero-day is. These are 90-days, meaning Google is giving – int his case – Apple two to three times as long as industry sort-of standard (which is 30–45 days). Of course, Google dropping zero-days on Apple will draw a lot more clicks, but that doesn’t make it any less bullshit. Then again, it isn’t like this is the first time this particular author sensationalises to the point of ridiculousness.
The other points from before, of course, still stand. In addition, it’d be great if other companies started combing through Google’s stuff too.