Google’s not just picking on Windows. The search company’s Project Zero initiative recently published three unpatched bugs in OS X, 90 days after the group privately disclosed the issues to Apple. The new publications bring the number of unfixed security vulnerabilities in OS X discovered by Google to six, according to the Project Zero database.
The new bugs don’t appear to be all that severe and require an attacker to already have access to a vulnerable machine, as first reported by Ars Technica. One of the bugs may have already been fixed in OS X 10.10 Yosemite; however it’s not clear if that’s actually the case.
The story behind the story: Google says its focus with Project Zero is to reduce the number of users harmed by targeted attacks by forcing companies to address “zero-day” exploits within a reasonable time frame. But its disclosure policy is starting to irk some.
Microsoft recently tangled with Google over Project Zero after the search giant made public a number of unpatched bugs in Windows. Microsoft complained that Google’s decision to stick to a 90-day deadline was unfair. In one, case Microsoft planned to release a fix to a Google-discovered bugs on a Patch Tuesday just two days after after the deadline passed. Despite some industry grumbles, however, Project Zero could turn out to be a positive thing for users if making bugs public prompts technology companies to roll out fixes more quickly.
Lots of Apple-flavored bugs
Google’s Project Zero has already discovered a total of 35 Apple bugs. Most of those bugs have been fixed and only one of them was reclassified as invalid. It’s not clear why Apple decided not to release fixes for the recently published bugs, or if a fix will be released in the coming days.
Google makes public any unfixed bugs 90 days after they are reported to the software vendor (Apple in this case), complete with proof-of-concept code. The three latest Apple bugs were first added to Project Zero (but not published publicly) on October 20, 21, and 23.