Google's Project Zero has discovered three exploits found in Apple OS X Yosemite.
Project Zero audits software for vulnerabilities and contacts a product's developer about flaws. After notifying a company that exploits have been found, Project Zero gives an organization 90 days to patch up the vulnerabilities before the Google bug hunting team publishes the security information.
Microsoft quickly defended the integrity of its software when Project Zero recently pointed out vulnerabilities in Windows. Apple, on the other hand, hasn't addressed Project Zero's allegations at all.
Not everyone endorses public reports on vulnerabilities as they can produce new ideas for malicious programmers.
Each of the alleged OS X Yosemite exploits, which were first published internally in October, have been rated as "high" in severity because a hacker or malicious code could take over user controls. However, an experienced hacker would first need to access a Mac running Yosemite in order to perpetrate an attack.
Microsoft patched up the Windows vulnerabilities days before Project Zero publish information about the OS weaknesses. The news of the fixes was revealed in a January Patch Tuesday bulletin, in which Microsoft explains the vulnerabilities and detailed how it resolved them.
For one of the vulnerabilities, Microsoft stated its engineers changed the way the Windows Application Compatibility infrastructure tokenized processes to facilitate compatibility. The vulnerability could have been exposed to enable low-level users to elevate their statuses and take control over a Windows computer.
Google's Project Zero was announced in July of 2014, when Chris Evans, a "researcher herder" offered an employment call to security researchers and detailed the project's mission. Project Zero is committed to reporting bugs and flaws to software vendor as fast as possible.
"We will only report bugs to the software's vendor-and no third parties. Once the bug report becomes public (typically once a patch is available), you'll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces," Evans stated in Project Zero's announcement.