OK Apple, your turn.
After raising a ruckus with the disclosure of three unpatched Windows vulnerabilities, Google’s Project Zero research team did the same this week with a trio of security issues in Apple OS X.
Project Zero imposes a 90-day deadline on vulnerabilities it reports to affected vendors; if a patch is not delivered inside that time frame, details are automatically made public via its external database.
The respective OS X bugs were reported to Apple in late October and 90-day deadlines began expiring this week. The Project Zero disclosures also come with proof-of-concept exploit code.
A request for comment from Apple was not returned in time for publication.
The vulnerabilities affect different components of Apple’s flagship operating system, and range from memory corruption, kernel code execution and a sandbox escape. All three require some kind of local access to exploit.
The sandbox escape vulnerability, OS X networkd “effective_audit_token” XPC type confusion sandbox escape as labeled by Google, may have been mitigated starting in the Yosemite version of OS X. Google refers to a separate advisory for those details.
In its disclosure on Tuesday, Google said that the networkd system daemon implements an XPC service API which communicates on behalf of an application. Project Zero said that XPC messages using get parameters are used without checking the type of returned value. This allows messages to reach functions outside the sandbox, Google said.
One day later, the 90-day deadline expired on an OS X IOKit kernel execution vulnerability.
“Calling IOConnectMapMemory on userclient type 2 of “IntelAccelerator” with memory type 3 hits an exploitable kernel NULL pointer dereference calling a virtual function on an object at 0x0,” Google said in its advisory. Part of this disclosure originally included a kernel ASLR bypassed, but that was patched in Yosemite 10.10, Google said.
The third disclosure happened yesterday and is another OS X IOKit kernel memory corruption vulnerability. Google said a Bluetooth device must be connected to exploit this bug, which is due to a bad bzero in IOBluetoothDevice.
“Userspace can modify the size in shared memory leading to the bzero writing a controlled number of NULL bytes off the end of the buffer,” the advisory said.
Project Zero’s automated disclosures are the latest salvo in the industry’s eternal debate over the sharing and distribution of vulnerability details. Microsoft fought back after Google spilled the beans on a trio of its unpatched bugs, one of which Google refused to sit on for an additional two days before Microsoft was to release a patch.