Google Project Zero Strengthens Apple OS X, iOS

NEWS ANALYSIS: A Google research group is keeping busy helping Apple and others stay secure. The researchers reported several vulnerabilities to other companies.

Google security

While Google and Apple don't always see eye-to-eye, when it comes to security, Google is one of Apple's biggest benefactors on that front. Case in point is the Apple Mac OS X 10.9.4 and iOS 7.1.2 updates, which were released June 30.

The Mac OS X 10.9.4 update provides fixes for 21 security vulnerabilities of which, nine were reported to Apple by a researcher identified as Ian Beer of Google Project Zero. The researcher reported flaws in Mac OS X that include multiple graphics driver vulnerabilities identified as CVE-2014-1372, CVE-2014-1373 and CVE-2014-1379. The vulnerabilities could have enabled an attacker to execute arbitrary code.

Beer also is credited with the discovery of four vulnerabilities in launchd: CVE-2014-1356, CVE-2014-1357, CVE-2014-1358 and CVE-2014-1359. Launchd is the Apple application agent manager, and the flaws could have potentially enabled arbitrary code execution.

The Google Project Zero researcher is also credited with the discovery of CVE-2014-1376, an Intel compute vulnerability, and CVE-2014-1377, an IO accelerator flaw.

Google's interest in Apple security isn't limited to just Mac OS X either. The IOS 7.1.2 security update, also released June 30, benefits from the same four security disclosures that Google Project Zero made for the launchd component in OS X 10.9.4.

Going a step beyond Ian Beer and Project Zero, Google is also credited with the discovery of eight vulnerabilities (CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1333, CVE-2014-1335, CVE-2014-1338, CVE-2014-1341 and CVE-2014-1343) fixed in the WebKit browser rendering engine used in Safari on both OS X and on iOS. This discovery is specifically credited to the Google Chrome Security Team.

Google is no stranger to fixing WebKit vulnerabilities as the Chrome Web browser has a shared lineage. Until April 2013, the open-source Apple WebKit was also the rendering engine used by Google to power its Chrome Web browser. Google's new browser rendering engine, known as Blink, is based somewhat on the original WebKit base. Vulnerabilities that were first reported in Chrome have been fixed on multiple occasions this year; they include the Safari 7.0.3 update in April and the Safari 7.0.4 update in May.

The bigger question really is about Google Project Zero.

A simple Google search on Project Zero yields little direct information from the company, which did not respond to a request for comment from eWEEK for this story by filing time.

While we don't know much at this point about the operational details, what we do know is that Google Project Zero has been active this year. Ian Beer is credited with the discovery of three vulnerabilities first reported to the Hewlett-Packard Zero-Day Initiative (ZDI). Those disclosures include ZDI-14-090, ZDI-14-121 and ZDI-14-120. All of those discoveries affect Apple OS X and were reported to ZDI at the Pwn4fun event, which was part of this year's HP ZDI-sponsored Pwn2own hacking competition.

An HP spokesperson said the company was unable to comment or elaborate on the activities of Ian Beer or Google Project Zero, citing researcher privacy.

Apple isn't the only target for Google's Project Zero efforts and Ian Beer isn't the only researcher, either. On June 17, Microsoft credited Tavis Ormandy of Google Project Zero with the discovery of a denial-of-service vulnerability in the Microsoft Malware Protection Engine.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.