Network Security

Apple kept exploit spotted by Google quiet for months to develop patch

For nearly eight months, Apple managed to keep quiet a coding exploit discovered by Google's Project Zero team in Apple's OSX and mobile operating system that could allow an attacker to gain root-level escalation privileges.

The vulnerability was discovered by researcher Ian Beer and reported to Apple in early June after which, Apple reportedly requested a 60-day disclosure extension followed by a short term mitigation patch for iOS 10 on September 20 and finally a long term patch which fully addressed the vulnerability which was released in a beta Mac OS on Oct. 3 and a full version on Oct 24, according to a Chromium blog post.

“Since this bug also allows us to gain any entitlements we want as well as root it's easy to use it to defeat kernel code signing on OS X and load an unsigned kernel extension,” he said.

The vulnerability also has the potential to be exploited in a sandbox escape, Beer said in the post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.