Project Zero, Google’s security team, publicly disclosed three security vulnerabilities with OS X, following its standard procedure of making is discoveries public 90 days after reporting it to the software maker.
Apple hasn’t officially commented on these discoveries, but it did fix one of these vulnerabilities with OS X Yosemite, and the other two have been patched in OS X 10.10.2, which is currently in beta.
In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What’s more, the first vulnerability, the one involving the “networkd ‘effective_audit_token’ XPC,” may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn’t make this explicit and Apple doesn’t publicly discuss security matters with reporters.
The other two vulnerabilities have been patched in the OS X 10.10.2 beta that was seeded a couple of days ago.
Google’s 90-day public disclosure has been criticised by Microsoft as not being responsible, as the bug, if not patched on time, can give hackers an opportunity to exploit these vulnerabilities, leaving users more insecure than before. The other line of thought is that the 90 day dead line pushes companies to deliver fixes faster than their usual timeline.