Latest OS X 10.10.2 beta kills Google-disclosed vulnerabilities dead

Google’s Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple’s OS X operating system for the Mac. It should be noted, however, that the first vulnerability was marked as fixed and closed by Google two weeks ago, and the others are fixed in OS X Yosemite 10.10.2, now in beta. Here’s a report on the vulnerabilities from Ars Technica:

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What’s more, the first vulnerability, the one involving the “networkd ‘effective_audit_token’ XPC,” may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn’t make this explicit and Apple doesn’t publicly discuss security matters with reporters.

Again, the first exploit, which could result in privilege escalation, was marked as fixed and closed by Project Zero on January 8. Based on the latest build of OS X 10.10.2, seeded yesterday to developers, Apple has also already fixed both of the remaining vulnerabilities.

That means the fixes will be available to everyone running Yosemite as soon as that update goes into general availability.

Discovering vulnerabilities and reporting them is great. Disclosing them to the public, especially without the proper context and framing, is somewhat less than great. Lets hope Google and Project Zero remember there are humans on the other end of these hacks.