Google Identified Major Kernel Vulnerability In Apple's OS And iOS Systems

An anonymous reader writes: In June Google’s Project Zero team identified a devastatingly effective exploit in Apple’s XNU kernel, and was able to develop perfect privilege escalation attacks by targeting a task port process thread called 'owningTask'. Project Zero member Ian Beer became dubious about the name of the task: 'OwningTask implies an ownership relationship which might lead kernel extension developers to believe that behind the scenes IOKit is actually maintaining an ownership relationship which will ensure that the lifetime of this userclient will always be dominated by the lifetime of the owningTask. This is a dangerous assumption.' Project Zero apprised Apple of the vulnerability at the beginning of June, and initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug — which has now been fixed in the latest updates to Mac OS and iOS.