Security & Privacy + Security News

Google Discloses Security Vulnerabilities in OS X—While Leaving a Billion Android Users Exposed

Posted on January 26th, 2015 by

OS X flaws
If you've been following the security beat closely in the last month or so, you'll be aware that Google has managed to get itself into some hot water on the vulnerability side of things.

What's happened is this. A team of Google security engineers, calling themselves Project Zero, have taken it upon themselves to find flaws in other vendor's software. And, if they feel the other vendor isn't quick enough in fixing the software vulnerabilities, the Googlenauts release details of not just how to exploit the software vulnerability, but actual proof-of-concept code to do the deed too.

The release of actual exploit code, that any internet ne'er-do-well can pick up and alter for their own malicious ends, is bad enough—but the Google Project Zero team has done itself no favours by dishing the dirt on exploitable vulnerabilities when they knew that a patch to protect all vulnerable users was only a day or two away.

Three times in the last month, Google has gone public about flaws in arch-rival Microsoft's code, and effectively handed online criminals the blueprints to exploit the vulnerabilities themselves.

Now, I accept that the issue of how to best disclose vulnerabilities is a contentious one—with many holding strong and opposing opinions. But I really cannot understand how Google engineers think they are doing the internet community a favour, if they know a patch for a bug is only a matter of a day or so away and yet release their exploit code anyway.

Why am I talking about this on the Intego Mac Security blog? Because it's not just Microsoft that is in Google's firing line.

Last week, Google disclosed three vulnerabilities in OS X (here, here, and here), having first privately informed Apple in October last year.

Google discloses security vulnerabilities in OS X

As the 90-day grace period has expired, Google feels it's right to make details of the vulnerabilities public, and tell people how to exploit them.

Thankfully, none of the OS X vulnerabilities discovered by Google appear to be highly critical and seem to require an attacker to have physical access to a vulnerable Mac—but that's not really the point.

Is it really helping anyone by making details of these bugs public? If Google's engineers felt that Apple needed a kick up the bum to fix the flaws more quickly, wouldn't it have been sufficient to demonstrate the vulnerabilities to members of the computer security press rather than making the code public?

After all, the media would think it was a pretty hot story if Apple was being lackadaisical about security—and pressure could be brought to bear.

Fortunately, according to iMore, the security flaws are all fixed in OS X Yosemite 10.10.2, which is now undergoing beta test.

Meanwhile, perhaps someone should remind Google of the saying, "People in glass houses shouldn't throw stones."

As is being widely reported, more than a billion Android smartphones, running Android 4.3 or earlier, are being left exposed to attacks by Google, which has declared it will not fix vulnerabilities in its WebView code.

Just imagine if Apple researchers gave Google 90 days to fix a WebView vulnerability in Android 4.3, and then released proof-of-concept exploit code.

I wonder how Google would feel then?

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Michele Possamai

    I’m a real android fan but this is simply moronic. Somebody should expose the 4.3 bug poc with a message like ‘sorry, we have you 90 days to fix it’.. Cause some bad publicity around the world, kick a dent in their stocks (probably just a small one) and make them feel it where it hurts..
    4.3 is not that old and should be patched.
    Until they do, they do not have the right to accuse other companies of a slow patching policy..

    • Ramiro Fernandez

      The problem is that any phones still on Android 4.3 have stopped receiving software updates from the handset vendor. Even if Google were to apply a patch to Android 4.3 what would be the result? It would never be applied to any actual device.

      Google has remedied the situation by unbundling WebView and putting it into Google Play Services, allowing them to update it independently of the OS.

      • Michele Possamai

        If Google would release a patch the fight would be with the handset vendors. Vendors are already afraid to lose customers so a news article about how HTC (for example) distributes a patch for older phones would be good for customer trust.

        The WebView patch in Google Services does not fix the security hole in the old devices does it?

        • Ramiro Fernandez

          Possibly, but what would that achieve? It would be a huge engineering effort as Google would need to release security patches for the last 4 releases or so. And no one would actually get the update, all it would do is shift blame elsewhere. Instead of that, Google are now fixing the problem at its source, albeit a solution that will take a long time to be made available to a majority of users.

          Perhaps Google should release security patches for old versions of Android, and maybe vendors might actually apply those patches to old devices. But the process for rolling out security patches to old devices that no longer receive updates is a long standing Android problem, this WebView “issue” is non-news.

  • Matthew Langdon

    I rest my case here. Google are the scum of the digital Earth. Seriously? Their practice of exposing weaknesses in rivals’ platforms, then practically handing out manuals on how to exploit those to any hacker who wants to try, is not only dirty business, but downright dangerous to the consumer and uninvolved public. Insulting your competitors with advertising is one thing, but intentionally spreading around information on how to exploit their customers? Not cool, Google. Not cool at all.
    I hope people get sick of this and start shunning Google’s platforms and services. Anybody who stoops to the tactic of endangering their competition’s customers deserves to be put out of business.

  • disqus_7y5VSabucb

    Holding feet to the fire is one thing…
    There is a certain arrogance that goes unexplained in this tactic.

    It does no one any benefit to make exploit details available to every malicious high school kid with too much time on their hands & who may never have figured this out on their own.

    In that regard, I wonder if Google has to be considered culpable for damages, certainly complicit even under the guise of demanding quick fixes of its rivals.

    You see this sort of cannibalistic behavior every time business gets tight & new products are not evident – they start suing each other, or finding ways to limit the progress of their rivals.

    Phone OS upgrades are partially the responsibility of the phone service, Verizon, T-Mobile, AT&T & Sprint, etc, per my understanding. Is that correct?

    One trick is that phone makers like Samsung employed in their market strategy was a big push of series 3(?) “LITE” phones early summer 2014 as I recall – which were never going to be updated & so foisted unpatchable phones on their customer base, basically built-in obsolescence at point-of-sale.

    If that is an acceptable strategy, then someone may yet wind up posting how best to hack Android customers using those phones. It sounds like stories of rival businesses shooting skyrockets at one another across cities in far eastern countries! (no joke).

    In football, the first infraction gets call. Then the retaliation gets clobbered.
    Do they think there will be no quid pro quo?

  • RealityAlwaysBites

    Google appears to only be able to do evil, typical of the psychopathic mindset running most corporate scumbag companies. Can’t really expect anything else, they aren’t capable of good.


    Peple bringing up security vulnerabilities for older android versions is stupid, google has no way to force handset vendors to apply the update and it wouldnt happen so there is no reason for them to do it. The current versions get security fixes and google keeps on top of it. Its not Google leaving users out to dry, its handset vendors who dont want to support devices anymore than they have to

    • Coyote

      and… he isn’t talking about the Android version per se… In addition, ignoring a message is – if I may use your wording – stupid because it is quite simple to not ignore it; it is right there. No, I don’t really think it is stupid; it isn’t, definitely not by the definition of the word. That applies to your usage of the word, too. But that is besides the point.

  • Dillon Prescott

    I hate how short sighted people are here google fixed there problem it was called android 4.4 there are still phones that arnt updated but that’s up to the OEMS to fix not google google updates there nexus line because those are the only phones they can control

    • Coyote

      Ironically you suggest he is short sighted yet… you seem to think that everyone gets newer versions and anyone else is out of luck. Indeed that is often the case (like everything in real life) but it is short sighted (because after all, everyone is as well off as everyone else, has all the chances, etc.; in fact, everyone is equal so nothing else is there, right? Indeed short-sighted) when you say that is the fix. No, it is not the fix. You don’t fix something by replacing it with something else. You fix it by repairing the item that needs fixing. There is a huge difference: if you have a computer that won’t POST (and let’s say it isn’t the common cause or it is a part that cannot be fixed) and you then buy a new computer the old computer still won’t POST and therefore it isn’t fixed. That means that the old computer is still broken i.e. still would need to be fixed if you wanted it to POST.

      It is also quite ironic that – among others – you seem to claim silly things that are unrelated (e.g. short sighted and various other things (and as for your case you’re showing yourself to be – as you put it – short sighted (quite amusing, however it may be))) and miss the entire point. I’ll add something else (which if you actually looked at his link – something someone else suggested he didn’t do, research, the irony being significant (not that there is much to research on his end – he is citing an incident and an explanation of)) that others seem to miss too: he isn’t talking about Android version. He’s referring to those who still have older versions will not get updates of certain components. There’s a difference. And yes it is relevant. No the provider is not relevant here because it is Google’s choice to not do it (and the reasons are irrelevant here).

  • Coyote

    If you think Google should not be held responsible for that (which incidentally he wasn’t suggesting they were responsible for mobile operators, see next part), and you think that Graham should be held responsible for investigating facts (there actually isn’t any facts to investigate, again see next part) before assigning blame….. then perhaps you should be held responsible for your lack of reading comprehension. Indeed, he wasn’t blaming anyone about anything in particular: the point of this article being on Intego is that they disclosed a 0day (among others unrelated to here) related to Apple; the rest is an aside. He even points out there is much to that debate and there’s many variables indeed (I’m both for it and against it depending on the circumstances, for example, usually both at the same time). He wasn’t blaming anyone or anything (stating someone did X is very different from blaming someone for X!). This was more of a reminder of one thing (that you clearly missed) and bringing up an issue that – as he correctly states – is a contentious one with strong (and he uses the word strong and yes it is very much the right word) opinions (which you also missed). I’ll not even get in to the fact your message is mostly an ad hominem…

    In any case: yes, he should go do more research but do please follow your own advice. After all, if he can better himself then so can you and indeed everyone else (yes, everyone). Why not be a good example? Thanks.

  • Coyote

    .. and in light of all the bickering here… I’ll just offer that that is a wonderful photo of Half Dome…