Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero

by

Google's security team, Project Zero, this week disclosed to the public several security vulnerabilities in OS X, some three months after the issue were shared with Apple (via Ars Technica). While Apple has not commented officially on the issues, it appears one has already been patched and iMore reports the remaining two are fixed in OS X 10.10.2, which is currently in developer testing.

macbook_air_yosemite
Project Zero works to discover security vulnerabilities of various operating systems and software, giving their owners 90 days notice to patch the issues before publishing their findings to the public. In their markup of Apple's OS X, problems involving memory corruption, kernel code execution, and a sandbox escape were all discovered by the team. Ars Technica notes:

At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. [...]

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities.

As the 90-day deadline hit during the week, the group began posting its findings online. Google's notes suggest one of the vulnerabilities was fixed with the release of OS X Yosemite, while the other two remained unaddressed.

But as pointed out by iMore, Apple's incoming OS X 10.10.2 update does indeed include fixes for the remaining two vulnerabilities exposed by Project Zero.

[B]ased on the latest build of OS X 10.10.2, seeded [Wednesday] to developers, Apple has already fixed all of the vulnerabilities listed above. That means the fixes will be available to everyone running Yosemite as soon as 10.10.2 goes into general availability.

Google's Project Zero has been disclosing significant security vulnerabilities for a number of months now, previously discovering a few significant Windows issues and sharing them online. The project shines light on much-needed fixes to various operating systems, but sometimes undercuts the point of security, as in that Windows case that's left users' systems more vulnerable with the publicized knowledge before Microsoft could properly fix it. Still, the 90-day window before public disclosure is intended to give companies time to fix the issues while also giving them incentive to do so in a timely fashion.

Tags: OS X 10.10.2, Project Zero

Popular Stories

Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
Read Full Article
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
Read Full Article240 comments
2024 iPhone Boxes Feature

Apple Changes Trade-In Values for iPhones, iPads, Macs, and More

Thursday January 16, 2025 6:45 am PST by
Apple today adjusted estimated trade-in values for select iPhone, iPad, Mac, and Apple Watch models in the U.S., according to its website. Some values increased, while others decreased. The changes were not too significant, with most values rising or dropping by $5 to $50. We have outlined some examples below: Device New Value Old Value iPhone 15 Pro Max Up to $630 U ...
Read Full Article64 comments
Generic iOS 18

Everything New in iOS 18.3 Beta 3

Thursday January 16, 2025 12:39 pm PST by
Apple provided the third beta of iOS 18.3 to developers today, and while the betas have so far been light on new features, the third beta makes some major changes to Notification Summaries and also tweaks a few other features. Notification Summary Changes Apple made multiple changes to Notification Summaries in response to complaints about inaccurate summaries of news headlines. For...
Read Full Article28 comments
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...
Read Full Article
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
Read Full Article
iPad Pro vs iPhone 17 Air Feature

Here's How Thin the iPhone 17 Air Might Be

Friday January 17, 2025 3:38 pm PST by
For the last several months, we've been hearing rumors about a redesigned version of the iPhone 17 that Apple might call the iPhone 17 "Air," or something along those lines. It's going to replace the iPhone 17 Plus as Apple's fourth iPhone option, and it will be offered alongside the iPhone 17, iPhone 17 Pro, and iPhone 17 Pro Max. We know the iPhone 17 Air is going to be super slim, but...
Read Full Article222 comments
apple power beats pro 2

Powerbeats Pro 2 Coming Soon: Apple to Announce Them 'Imminently'

Sunday January 19, 2025 8:25 am PST by
In September, Apple said that it would be launching Powerbeats Pro 2 in 2025, and it appears the wireless earbuds are coming very soon. Powerbeats Pro 2 images found in iOS 18 code In his Power On newsletter today, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the Powerbeats Pro 2 in regulatory databases last month, Gurman said Apple is...
Read Full Article59 comments

Top Rated Comments

bawbac Avatar
bawbac
131 months ago
Google is playing dirty.

How?
They could expose the issue without the 90 day grace period if they wanted to be dirty.
Score: 37 Votes (Like | Disagree)
Keirasplace Avatar
Keirasplace
131 months ago
Anyone hear that that explosion at Cupertino?

The irony that Android right now is biggest botnet source in the world right now because of crap level security and upgrade policy... That I could have 100+ separate security patches for Microsoft in one year... Makes Apple pretty secure from any derision from the likes of Google or Microsoft.
Score: 16 Votes (Like | Disagree)
maflynn Avatar
maflynn
131 months ago
Google is playing dirty.

You mean by communicating that OS X has security holes, how's that dirty? It will now at the very least get addressed by Apple
Score: 15 Votes (Like | Disagree)
genovelle Avatar
genovelle
131 months ago
You mean by communicating that OS X has security holes, how's that dirty? It will now at the very least get addressed by Apple

Because they have holes in their own OS that remain open for months that they don't report on. Before a company starts searching for and reporting flaws in someone else's product, that should devote those resources to fixing their own mess.
Score: 14 Votes (Like | Disagree)
jay_app Avatar
jay_app
131 months ago
Google has a disingenuous agenda on this. Where are all the hundreds of issues with Andriod, Chrome OS, gmail, etc? They will not mention them. Should Microsoft or Apple publish Google's issues after 90 days. The list would be very long.
Score: 13 Votes (Like | Disagree)
admmasters Avatar
admmasters
131 months ago
How about Google actually fix their own bugs?

Pretty annoyed at Google at the moment considering Lollipop's widely reported issues and bugs such as this which they consider obsolete, but clearly aren't (reproducible on Macbook Pro Retina Late 2013 + Yosemite 10.10.1): https://code.google.com/p/android/issues/detail?id=39548

Those in glass houses...
Score: 11 Votes (Like | Disagree)
Read All Comments