Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Shares Details on Unpatched 'High Severity' macOS Kernel Flaw

Neither internal developers, nor QA (if ever so existent) or external developers who provide assistance for free reaches the coders at Apple. I guess everyone nowadays just learned that you have to hit Apple on all channels where it hurts them most (reputation and investor feedback) in order to get a reaction.
...or the coders are just being reassigned to crafting fancy new emojis to target the new target userbase.
 
  • Like
Reactions: zulkiflim
I have used Macs and MS-based machines for decades. I have never used a google-device or OS, so I cannot speak to the vulnerability of Googleware, but I have never run any anti-virus or anti-adware or other 3rd-party "security" software on any mac I have ever owned, and I have never been hacked, attacked, or noticed any weird pieces of software or unauthorized users on my machines. I don't even keep tabs on what viruses exist for MacOS. From time to time, I have installed anti-virus software just to see if the programs detect anything, but so far, never.

In the Windows world, I have actually never NOT run something. Most past employers/clients who have provided me with MS-Windows based machines have insisted/mandated some form of anti-virus software -- McAffey or Simantec or Norton of something. On the rare occassions I have had such a machine without anti-virus software, I have run into issues. In fact, years ago there was an instance such that I had to re-install my copy of Windows on my laptop, and I got a virus immediately after installing the OS -- apparently there was some hole in the installation that once it "phoned-home" as an admin user, a virus was immediately install onto the machine. It was easy to eradicate, but it essentially installing anti-virus software as part of the OS install.

I am appreciative that Google is out there trying to make everyone's information safer, but making this "vulnerability" public doesn't seem to help anyone.

To the Mac User base listening into this thread -- has anyone ever had a virus on a Mac?
 
  • Like
Reactions: zulkiflim and 5105973
I Own A Mac said:
I have used Macs and MS-based machines for decades. I have never used a google-device or OS, so I cannot speak to the vulnerability of Googleware, but I have never run any anti-virus or anti-adware or other 3rd-party "security" software on any mac I have ever owned, and I have never been hacked, attacked, or noticed any weird pieces of software or unauthorized users on my machines. I don't even keep tabs on what viruses exist for MacOS. From time to time, I have installed anti-virus software just to see if the programs detect anything, but so far, never.

In the Windows world, I have actually never NOT run something. Most past employers/clients who have provided me with MS-Windows based machines have insisted/mandated some form of anti-virus software -- McAffey or Simantec or Norton of something. On the rare occassions I have had such a machine without anti-virus software, I have run into issues. In fact, years ago there was an instance such that I had to re-install my copy of Windows on my laptop, and I got a virus immediately after installing the OS -- apparently there was some hole in the installation that once it "phoned-home" as an admin user, a virus was immediately install onto the machine. It was easy to eradicate, but it essentially installing anti-virus software as part of the OS install.

I am appreciative that Google is out there trying to make everyone's information safer, but making this "vulnerability" public doesn't seem to help anyone.

To the Mac User base listening into this thread -- has anyone ever had a virus on a Mac?
Click to expand...

Not that I know of.


Even if I ever picked up some kind of malware, it was probably unique and unknown to public, therefore non visible. Like Flashback, that was running on people’s machines for months before it got discovered by security experts.
 
I Own A Mac said:
I have used Macs and MS-based machines for decades. I have never used a google-device or OS, so I cannot speak to the vulnerability of Googleware, but I have never run any anti-virus or anti-adware or other 3rd-party "security" software on any mac I have ever owned, and I have never been hacked, attacked, or noticed any weird pieces of software or unauthorized users on my machines. I don't even keep tabs on what viruses exist for MacOS. From time to time, I have installed anti-virus software just to see if the programs detect anything, but so far, never.

In the Windows world, I have actually never NOT run something. Most past employers/clients who have provided me with MS-Windows based machines have insisted/mandated some form of anti-virus software -- McAffey or Simantec or Norton of something. On the rare occassions I have had such a machine without anti-virus software, I have run into issues. In fact, years ago there was an instance such that I had to re-install my copy of Windows on my laptop, and I got a virus immediately after installing the OS -- apparently there was some hole in the installation that once it "phoned-home" as an admin user, a virus was immediately install onto the machine. It was easy to eradicate, but it essentially installing anti-virus software as part of the OS install.

I am appreciative that Google is out there trying to make everyone's information safer, but making this "vulnerability" public doesn't seem to help anyone.

To the Mac User base listening into this thread -- has anyone ever had a virus on a Mac?
Click to expand...
No. And I don’t remember ever having to deal with a virus on a PC of my own, either. But I’ve had friends on PC’s clearly hit with their email accounts rampantly spamming their contacts with infected attachments.
 
mi7chy said:
This is what happens when you've spent too much on hiring propagandists instead of security researchers and developers.
Click to expand...

Compare the security of the iPhone v. Android. And of Mac OS versus Google's-- oh, they don't have an OS, do they? Just a web browser that pretends to be one.
 
eagle33199 said:
Out of curiosity, has Google's Project Zero disclosed unpatched issues in Google's own software? I've heard of a few directed at Apple products, but none directed at Google's own products...
Click to expand...
The short answer is yes they do disclose on Google. The longer answer is yes they do. The most recent disclosed vulnerability comes from Nov 2018 https://bugs.chromium.org/p/project-zero/issues/detail?id=1718&q=android&colspec=ID Status Restrict Reported Vendor Product Finder Summary

I think the issue you're experiencing is not a matter of disclosure, but a matter of notoriety. Disclosure is simply making the details of the exploit known. Notoriety comes from some blogger or news site picking up the disclosure and publicizing it. Patched or not, they disclose and news sites sometimes pick up the info. Just not Apple-centric news sites... which is why you may not have heard of the disclosures.
Another forum member @genovelle posted a similar question/accusation in the original article back on Feb 8.
69Mustang said:
https://9to5google.com/2018/01/03/google-project-zero-cpu-security-flaw-patches-android-chrome/
https://www.zdnet.com/article/opening-this-image-file-grants-hackers-access-to-your-android-phone/
https://www.androidpolice.com/2018/09/12/google-android-usb-security-flaw/
https://searchsecurity.techtarget.com/answer/How-does-the-Android-Rowhammer-exploit-affect-users
https://www.infosecurity-magazine.com/opinions/hacking-video-conferencing/
Click to expand...
 
Last edited:
  • Like
Reactions: pratikindia, 5105973 and jedifaka
Darmok N Jalad said:
Google has done the same to Windows in the past. It’s all good and fine, but it’s just an arbitrary deadline, one that I don’t believe google enforces on itself. Android’s severe fragmentation (multiple Android versions and various degrees of OEM support) make it very hard to police in the same way that google polices MS and Apple. Sure, they may have fixed an Android exploit, but that fix will only land on the handful of devices that get an actual security update.
Click to expand...
You are conflating different topics. Project Zero discloses on all OSes when they find bugs. Whether that disclosure is before or after the patch depends on the vendor's fix timeliness. If the vendor communicates the fix will take longer than 90 days, they don't disclose. And yes, PZ uses the same disclosure timeline for Android and Chrome.

Androids fragmentation has no affect on PZ and their work. PZ does not provide patches and has nothing to do with updates.
 
  • Like
Reactions: ROGmaster, 5105973, jedifaka and 1 other person
Kabeyun said:
At this point I have to believe personal computer malware problems come from user foolishness installing something they shouldn’t’ve. No one is out there furiously trying to hack into your desktop. Watch where you visit, what you download, and what you open. Anyone who doesn’t know this by now probably needs an infection as a teaching point.
Click to expand...
This. (in addition to using an adblocker to block ads carrying malicious payloads)

"Security" is one of those boogeymen that companies use to scare people away their competitors and toward their own products and services. Most of the "security holes" require a very specific set of conditions for the hole to be present and exploited, often times, conditions that the average consumer will never meet.
 
  • Like
Reactions: 5105973 and Kabeyun
GrumpyMom said:
A teenager and Google trying to make Macs more secure :eek: and Apple's reported response to them looks like "talk to the hand". :confused:

What are they doing over in the spaceship? I'm not even remotely technically literate so I'm genuinely curious: is this a sign of internal mismanagement or nothing really of consequence but makes an interesting headline?
Click to expand...
I can tell you what’s going on...

Timmy is watching upcoming shows and couldn’t find the time to respond.

Ive is still redecorating it’s office and can’t decide if the curtain would have a golden glow or not.

Phil is busy with its filmmakers crew for the next ‘shot on iPhone’ ad.

Eddy is trying to find the new Bambi for its third remake of carpool karaoke.
[doublepost=1551728166][/doublepost]
GrumpyMom said:
No. And I don’t remember ever having to deal with a virus on a PC of my own, either. But I’ve had friends on PC’s clearly hit with their email accounts rampantly spamming their contacts with infected attachments.
Click to expand...
You propably don’t watch any Bambi movies Timmy is warning you about :D
 
  • Like
Reactions: zulkiflim and Greymacuser
GrumpyMom said:
I can't tell if you're joking or serious but I can see some people reading this news and thinking that. Which is why I asked my question in the post before yours.

With Windows a user's PC is going to get hammered all the time with security threats both commonplace to catch all the technically illiterate unaware and very complex to catch out heavily secured systems.

How vulnerable are most Mac users really? How easy are the two most recently uncovered exploits implemented? Dramatic news stories are all well and good but how likely is a suburban soccer mom like me to be harmed by this?
Click to expand...

I don't think you will be affected, like others have posted. It seems (I'm no specialist on this matters, BTW) that this security flaw allows someone with physical access to your computer to change parts of your OS without leaving a trace on installation logs. It could probably mean that if someone steals your laptop and you have keychain passwords and credit card numbers stored in there, they could retrieve them. Or if your work involves managing sensitive info, someone with the right knowledge could steal your laptop, retrieve said info, return it to you, and you won't notice they tampered with your OS.
 
  • Like
Reactions: 5105973
I Own A Mac said:
I have used Macs and MS-based machines for decades. I have never used a google-device or OS, so I cannot speak to the vulnerability of Googleware, but I have never run any anti-virus or anti-adware or other 3rd-party "security" software on any mac I have ever owned, and I have never been hacked, attacked, or noticed any weird pieces of software or unauthorized users on my machines. I don't even keep tabs on what viruses exist for MacOS. From time to time, I have installed anti-virus software just to see if the programs detect anything, but so far, never.

In the Windows world, I have actually never NOT run something. Most past employers/clients who have provided me with MS-Windows based machines have insisted/mandated some form of anti-virus software -- McAffey or Simantec or Norton of something. On the rare occassions I have had such a machine without anti-virus software, I have run into issues. In fact, years ago there was an instance such that I had to re-install my copy of Windows on my laptop, and I got a virus immediately after installing the OS -- apparently there was some hole in the installation that once it "phoned-home" as an admin user, a virus was immediately install onto the machine. It was easy to eradicate, but it essentially installing anti-virus software as part of the OS install.

I am appreciative that Google is out there trying to make everyone's information safer, but making this "vulnerability" public doesn't seem to help anyone.

To the Mac User base listening into this thread -- has anyone ever had a virus on a Mac?
Click to expand...

Windows has it's own built in virus checker.

I had a Surface Pro 4 for a year and a Surface Book 2 for a year and never had any issues whatsoever. It really isn't the wild west of viruses like the mid-2000s. If you don't visit shady websites you'll be fine.
 
  • Like
Reactions: freedomlinux, AndyMacAndMic, ROGmaster and 6 others
Daveoc64 said:
Yes. There have been automatic disclosures after 90 days for several Google projects, including Android.
Click to expand...

I don't want to sift through hundreds of my own Slashdot posts to find these again, but - when this question came up a couple years ago (another time when Apple took longer than 90 days to fix an exploit), I found several cases where what you state is not true. Project Zero seems to treat severe Google bugs differently than those of other vendors.

As I recall, with one of the bugs Project Zero withheld it for more than a year - only releasing the information after Google had finally patched it.
 
  • Like
Reactions: G5isAlive
Another OS screw up? What a surprise given Apple's quality control track record.
I hope that this goof only affects Mojave.
Yet another reason why I stayed at High Sierra and don't plan on "upgrading" to the barren desert OS.
 
  • Like
Reactions: zulkiflim
eagle33199 said:
Out of curiosity, has Google's Project Zero disclosed unpatched issues in Google's own software? I've heard of a few directed at Apple products, but none directed at Google's own products...
Click to expand...

Most of Google's products are software that is executed online. Typically, such products are much easier to patch frequently, as the software vendor has 100% control over the environment in which it runs-- in other words, a lot fewer test cases are needed every time there is a release. So the answer is, Google probably never hits the 90 day mark.
 
Apple can hire all the talented persons they want... but they should fire some high management first to really start a change for the better.
 
  • Like
Reactions: zulkiflim
Greymacuser said:
Another OS screw up? What a surprise given Apple's quality control track record.
I hope that this goof only affects Mojave.
Yet another reason why I stayed at High Sierra and don't plan on "upgrading" to the barren desert OS.
Click to expand...
Exaggerate much? This is not a "red alert" like bug, the attacker has to have physical access to the device (which is not good anyways).

Apple not having a bug bounty program (for macOS) AT ALL is the scandal here, and this affects every version of the OS.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back