[NewsPoster]

Two new zero-day vulnerabilities have been uncovered by an 18-year-old Italian man that could be exploited to gain remote access in OS X 10.9.5 through 10.10.5, though the researcher has already published a version of a fix Apple could adopt in a future update. The new discoveries come on the heels of a similar vulnerability that was fixed by Apple in the last OS X software update. Details of the exploits were published by Luca Todesco on Github, just hours after he had notified Apple of the flaws.

The new exploit uses two flaws in order to cause memory corruption in the kernel of Mavericks and Yosemite, which can then be used to bypass Apple's built-in kernel address space layout randomization (kASLR), which ironically is designed to prevent exactly this sort of vulnerability. If successfully executed, the remote attacker could gain root shell access, allowing miscreants to inject potentially-malicious code onto the computer.

The flaws have already been fixed in OS X 10.11 El Capitan, currently in beta and expected to arrive sometime next month, but Apple may now have to issue a further security patch to fix the issue in existing installs of Mavericks and Yosemite in order to stop the exploit before it is seen in the wild. It may be possible for Apple to utilize its silently-updated XProtect anti-malware system to protect vulnerable systems from the attack without a formal security update.

Todesco did not follow standard security-research procedure of notifying Apple and agreeing to a period of time to allow the company to fix the bug before making it public, as is usually the case. He said that his decision to publish the exploit just hours after notifying Apple "is not due to me having issues with Apple's patch policies [or] time frames," though no further explanationn was given.

Along with details of the flaws, Todesco also posted a patch he called NULLGuard. He claimed that because he does not have a Mac developer certificate, he cannot distribute an easily-installed version of the patch himself, according to MacWorld. Apple has not commented on the situation.

[Spheric Harlot]

****ing ego, desperate to get his name in the press.

Going public without giving Apple a chance to fix things is a real dick move. The user community thanks him.

[coffeetime]

Well. Since it's fixed in 10.11, that means Apple is already aware of this and it's just a matter of time before the next patch arrives on 10.10 and 10.9.

[DiabloConQueso]

But it also means that nefarious types can exploit this on nearly every Mac in existence for the time being.

That's why it's courteous to notify the author(s) or maintainer(s) of the code about the flaw, allow them time to patch it, then go public with your findings -- so you can bask in the glory of being a bad-ass while not simultaneously enabling the compromise of millions of machines.

[Makosuke]

What kind of a jerk does this?

Finding zero-day exploits? Great service to the world.

Going public with zero-day exploits if a company has gone an unacceptable amount of time after being notified without fixing them, to shame them into action? Ugly, but necessary.

Going public with zero-day exploits a few hours after notifying the code maintainer? Attention-seeking jerk.

[slboett]

It's 2015, and this is the world that tech has ushered in. Instant gratification, Instagram, same-day shipping - it's all part of the "life in 10 seconds" world that now has replaced kids riding bikes, hiking, and doing actual things in the world in lieu of that 15 seconds.