The less-than-ideal timing stems in part from how Project Zero works. Google notified Apple of the bug in November 2018, but its automatic 90-day disclosure policy means that it will publicize security vulnerabilities whether or not a fix is in place. While the company does offer a 14-day grace period for companies who don't think they'll have patches ready in time, Apple didn't necessarily qualify for this reprieve. We've asked both Apple and Google for comment.

It's not clear how easy this would be to exploit in the wild. In the meantime, you'll likely want to be particularly careful about the sites you visit and the files you download. A successful attack could theoretically make serious changes to macOS without tripping system-level safeguards, and you might not be aware of the damage until considerably later.