Google’s Project Zero publishes three OS X zero-day vulnerabilities

Ian Paul
27 January, 2015
View more articles fromthe author

OS-X-Yosemite-mac-macworld-australiaGoogle’s not just picking on Windows. The search company’s Project Zero initiative recently published three unpatched bugs in OS X, 90 days after the group privately disclosed the issues to Apple. The new publications bring the number of unfixed security vulnerabilities in OS X discovered by Google to six, according to the Project Zero database.

The new bugs don’t appear to be all that severe and require an attacker to already have access to a vulnerable machine, as first reported by Ars Technica. One of the bugs may have already been fixed in OS X 10.10 Yosemite; however it’s not clear if that’s actually the case.

The story behind the story: Google says its focus with Project Zero is to reduce the number of users harmed by targeted attacks by forcing companies to address ‘zero-day’ exploits within a reasonable time frame. But its disclosure policy is starting to irk some.

Microsoft recently tangled with Google over Project Zero after the search giant made public a number of unpatched bugs in Windows. Microsoft complained that Google’s decision to stick to a 90-day deadline was unfair. In one, case Microsoft planned to release a fix to a Google-discovered bugs on a Patch Tuesday just two days after after the deadline passed. Despite some industry grumbles, however, Project Zero could turn out to be a positive thing for users if making bugs public prompts technology companies to roll out fixes more quickly.

Lots of Apple-flavoured bugs

Google’s Project Zero has already discovered a total of 35 Apple bugs. Most of those bugs have been fixed and only one of them was reclassified as invalid. It’s not clear why Apple decided not to release fixes for the recently published bugs, or if a fix will be released in the coming days.

Google makes public any unfixed bugs 90 days after they are reported to the software vendor (Apple in this case), complete with proof-of-concept code. The three latest Apple bugs were first added to Project Zero (but not published publicly) on October 2021 and 23.


2 people were compelled to have their say. We encourage you to do the same..

  1. Tippy35075 says:

    It good to see that the global community is also helping to protect our favourite operating systems.

  2. Br.Bill says:

    It’s too bad Google is completely opaque as to Project Zero’s relationship with Google itself. Does Project Zero hold Google to the same rigid deadlines it imposes on other companies? Apple and Microsoft have asked for a few days to release patches before Project Zero announces the zero day exploits, but Google refused and published anyway. Less than a week in each case.

    Like police department internal affairs, we have no idea whether Google hides its own misdeeds. I’m not saying that Project Zero is not policing its own district with the same vigor, but rather that we have no way of knowing, and Google isn’t telling. Seems super fishy.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us