contador pagina web Skip to content

OS X vulnerabilities: Google discloses 0-days

In terms of IT security, the tension has escalated between Microsoft and Google. The Redmond firm criticized the Mountain View firm for having released technical details of vulnerabilities affecting Windows before patches were available.

Such disclosures took place via Project Zero, the policy of which is to notify an affected publisher in advance. After a period of 90 days, a public disclosure (or full disclosure) takes place even if the appropriate fix is ??not available.

Google has shown itself to be adamant about this 90-day period, notably refusing to accede to Microsoft's request to delay a full disclosure for two days. This would have allowed Patch Tuesday in January to act on time. Worse … Google did it again soon after.

Apple_logoArs Technica has found that Apple is entitled to the same treatment as Microsoft. Note that Apple has often been singled out by security experts for its slow patching and seemed to have done so. On October 20, 21 and 23, 2014, Project Google confidentially notified Apple of three security vulnerabilities in OS X. These were disclosed after 90 days, when the apple company did not bring any corrective.

By researching it a little further, we also found that other vulnerabilities affecting OS X are in the same case for which Apple was notified in mid-2014. Except for one at low risk, the level of dangerousness for others is qualified as high.

However, there are a few caveats in that exploitations require attackers to have access to the targeted Mac computer. To see now if Apple will be as annoyed as Microsoft by the attitude of Google.

When questioned by iTnews, Apple declined to engage in comments. A spokesperson only referred to a page on the Apple site where it says:

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues before a thorough investigation, and until fixes or updates are available."