Google's Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple's OS X operating system for the Mac. Fortunately, OS X Yosemite 10.10.2, now in beta, has already patched these vulnerabilities. Here's a report on the vulnerabilities from Ars Technica:
In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.
The first exploit could result in privilege escalation — it could let someone get deeper access to your computer than they ought be allowed — and Google included proof-of-concept code, they are something to pay attention to. That exploit, however, was marked as fixed and closed by Google on January 8.
Based on the latest build of OS X 10.10.2, seeded yesterday to developers, however, Apple has already fixed all of the vulnerabilities. That means the fixes will be available to everyone running Yosemite as soon as that update goes into general availability.
No comments:
Post a Comment