Three OS X Vulnerabilities Disclosed by Google

The details of three high-severity vulnerabilities affecting Apple’s OS X operating system have been disclosed over the past two days by Google.

Vulnerability reports containing details and proof-of-concept code were created by Ian Beer, a member of Google’s Project Zero initiative.

The security holes were reported to Apple on October 20, October 21, and October 23. Their details were made public this week after the 90-day disclosure deadline given by Project Zero to vendors expired.

One of the flaws has been described as an “OS X networkd ‘effective_audit_token’ XPC type confusion sandbox escape.” The issue was successfully tested on OS X Mavericks 10.9.5, but it might have been fixed in OS X Yosemite 10.10.

“networkd is the system daemon which implements the com.apple.networkd XPC service. It’s unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network),” reads Google’s advisory for the bug. “networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value.”

The second issue is an IOKit kernel code execution vulnerability caused by “NULL pointer dereference in IntelAccelerator.” While initially Beer believed this flaw might have been fixed in OS X Yosemite, he later clarified that the bug exists even in version 10.10.

The third vulnerability disclosed by Google this week is an IOKit kernel memory corruption bug. The flaw involves the IOBluetoothDevice class and it can only be exploited if a Bluetooth device is connected to the targeted computer. Beer said he tested the exploit with an Apple Bluetooth keyboard.

SecurityWeek has reached out to Apple to see if the company can clarify the status of these vulnerabilities.

It’s worth noting that Beer has found many vulnerabilities in Apple’s OS X over the past months. For example, when the company released OS X Yosemite 10.10, the Google researcher was credited for identifying three flaws. When the OS X Mavericks v10.9.4 update was released, Beer was credited for a total of nine issues.

In the past weeks, Google’s Project Zero disclosed several vulnerabilities affecting Windows 8.1 and other versions of Microsoft’s operating system. Microsoft accused Google of putting users at risk with its strict disclosure deadline, especially since one of the flaws was published just two days before it was patched.

For the time being, Google believes 90 days is more than enough time for a vendor to fix a security hole, so the company is sticking to its policy.