When Google's team of ninja bug-hunting researchers known as Project Zero finds a hackable flaw in somebody else's code, they give the company responsible 90 days to fix it before going public with their findings—patched or not. So like clockwork, 94 days after Google alerted Apple to a bug in its MacOS operating system that could allow malware to inject data into the most privileged code running on its computers, Mountain View's hackers are revealing that fresh zero-day vulnerability to the world.

On Friday, Google's Project Zero researchers quietly published a forum post outlining a previously unknown vulnerability in MacOS, which they call BuggyCow, in a piece of proof-of-concept demonstration code. The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac.

[...] BuggyCow continues Project Zero's practice of publicly dropping serious, unpatched security vulnerabilities in the code of major tech firms, from Apple and Facebook to Microsoft, a habit that has earned it occasional criticism from the security industry. But the group's strict 90-day deadline, Google has argued, is intended as a powerful motivator for other companies to patch their flaws quickly—an important factor given that Project Zero isn't always the only group of hackers who discover a vulnerability.

In fact, Project Zero notes that it first warned Apple about its BuggyCow flaw back in November and that the company hadn't acted to patch it ahead of last week's public reveal. Apple didn't respond to a request for comment.