Google these past few weeks published details about security flaws in Microsoft's Windows operating system despite a request by the Redmond giant to hold off until it issued a fix within a few days, and now, the company has published details about three security flaws in Apple's OS X operating system after the stipulated Project Zero 90-day deadline to deliver a fix lapsed.
Google's Project Zero security unit has revealed three flaws in Apple's OS X operating system that might allow hackers to take control of users' Mac systems. The flaws are mentioned as "OS X networkd "effective_audit_token" XPC type confusion sandbox escape", "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator," and "OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice." The first flaw may be mitigated by changes already present in OS X Yosemite, but that has not been confirmed. Details can be found in Google's Security Research page.
The search giant notified Apple about the flaws back in October. However, it later published detailed information about the flaws including proof-of-concept exploit after the Project Zero team's 90-day cut-off period. Apple has still not addressed the flaws and is yet to mention if these loopholes will be tackled in future. According to iMore (via Engadget), the upcoming OS X Yosemite 10.10.2 update, currently in beta, might be able to bring fixes to the issues.
Apple's product security page states that, "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."
As mentioned earlier, it is not the first time Google has revealed the details of security flaw of an OS version before its fix rolls out. Google earlier this month revealed a series of security flaws in Microsoft Windows 8.1, for which it was criticised by Microsoft's Senior Director of the Microsoft Security Response Center, Chris Betz. Few days later it went on to reveal two more bugs of Windows 7 and Windows 8.1 to public. While some industry watchers are espousing Google's unyielding approach to bug-fixing, others say Google is being hypocritical by not patching its recently reported Webview bug that potentially affects the majority of Android devices in the market.