Items tagged with Project Zero

Companies like Microsoft and others are potentially getting more time to fix zero-day vulnerabilities before Google's Project Zero team discloses them to the public, as part of a new policy change for 2021. At the same time, end users can potentially expect zero-day security patches to arrive quicker and be more thorough. How so? On the surface, giving companies additional time to stomp out bugs seems counterintuitive to users receiving more timely patches for newly discovered vulnerabilities. And perhaps it will work out that way. But on the surface, the new "90+30" trial, as Project Zero calls the policy change, looks like a win-win for all involved. Under last year's policy, Project Zero held... Read more...
The bug hunters that comprise Google's Project Zero team are getting a little fed up with companies that issue incomplete or otherwise incorrect patches for zero-day vulnerabilities they discover. Going into 2021, the team plans to reevaluate how it handles these kinds of situations, with a recent privilege escalation flaw in Windows serving as the tipping point. At issue is a zero-day flaw in Windows (CVE-2020-0986) that was actually discovered by Kaspersky this past summer. "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker... Read more...
It seems Qualcomm is having a devil of a time fixing a security flaw related to its Adreno GPU driver code. It was brought to Qualcomm's attention by Google's Project Zero team, which sniffs out vulnerabilities and compels companies to fast-track security fixes by going public with the details after 90 days have passed (barring a grace period, which the team sometimes grants). The general idea behind the 90-day deadline is that it provides incentive for companies not to drag their feet in fixing security flaws. This sometimes comes at the consternation of companies, especially if they request a bit of additional time and are denied for whatever reason. In that sense, there is a controversial... Read more...
Google’s Project Zero team, which is tasked with discovering 0-day vulnerabilities, has uncovered an exploit in the Windows kernel that can lead to sandbox escape or privilege escalation. The bug, given CVE-2020-17087, is of the buffer overflow type in the Windows Kernel Cryptography Driver (CNG.sys) and is being actively exploited. Thankfully, this exploit is targeted and is not related to any U.S. election hacking, which could become more prevalent in the coming days. Last week, the Project Zero team discovered an exploit in Google Chrome and Chrome OS. Around the same time, they found the Windows Kernel bug, and it was “subject to a 7-day disclosure deadline.” It was subject... Read more...
After being alerted to a "medium" security flaw in Windows 10 by Google's Project Zero team, Microsoft took a swing and a miss at fixing it through yesterday's cumulative Patch Tuesday roll out. As per Project Zero's policy, the vulnerability has now been disclosed to the public, as Microsoft failed to address it within the usual 90-day disclosure period. For anyone who is not familiar, the Project Zero team researches security issues, particularly zero-day bugs, and passes on its findings to software companies. Those companies then have 90 days to plug up the security hole before Project Zero discloses its findings. Software outfits like Microsoft can request an extension, but whether one is... Read more...
Through its Project Zero division, Google has tasked itself with motivating technology companies to push out timely patches for zero day vulnerabilities. It does this by giving companies 90 days to patch a security flaw before going public with the details. There are differing opinions on whether this is the right approach, and as we embark on a brand new year, Project Zero is updating its policy and disclosure for zero day threats. The big change for 2020 is that Project Zero will wait the full 90 days before disclosing details of a zero day threat, regardless of whether a company has already issued a patch or not. Up to this point, Project Zero's policy was to disclose the threat as soon as... Read more...
A dangerous zero-day vulnerability affecting at least a dozen different Android phone models is being actively exploited in the wild, according to Google's Project Zero team. Attackers who leverage the security flaw are able to gain full control of an affected Android phone. As of right now, no patch for the vulnerability exists (though one is being worked on). Google's own first- and second-generation Pixel phones are among the Android models affected by this. So are a spattering of Samsung Galaxy phones. So far, Project Zero has confirmed the issue affects the following models... Pixel and Pixel XL Pixel 2 and Pixel 2 XL Huawei P20 Xiaomi Redmi 5A Xiaomi Redmi Note 5 Xiaomi A1 Oppo A3 Moto... Read more...
A week ago, Google disclosed findings from its Project Zero Threat Analysis Group, which discovered 14 vulnerability in iOS that were used across five exploit chains. According to Google, the exploits were used over a period of more than two years in a "sustained effort to hack the users of iPhones" by monitoring their private data and location information in real-time. It was later learned that the Chinese government was at least using some of these vulnerabilities to spy on Muslim minority groups in its Xinjiang territory. At the time, Apple didn't make any public statements about Project Zero's findings in part because it released an iOS security fix within two weeks of being... Read more...
A member of Google's Project Zero security team has written a lengthy blog post detailing a series of iOS exploit chains discovered in the wild. According to Project Zero's findings, a hacking group underwent a "sustained effort to hack the users of iPhones" for a period of at least two years. This was accomplished through hacked websites. Project Zero member Ian Beer says Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites that were used in "indiscriminate water hole attacks" against iPhone users, by way of a zero-day attack. "Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring... Read more...
When it comes to disclosing vulnerabilities, the Project Zero team at Google generally sticks to a hard-and-fast deadline, giving companies 90 days to issue a patch before going public with its findings. There are some rare exceptions, but for the most part, Project Zero sticks to that time frame. As such, Project Zero is making some noise about a Windows bug that could allow an attacker to "take down an entire Windows fleet relatively easily." The issue lies in the SymCrypt core cryptographic library of Windows. A bug exists in SymCrypt's multi-precision arithmetic routines for implementing symmetric cryptographic algorithms in Windows 8, and asymmetric ones in Windows 10. By leveraging the... Read more...
Through its Project Zero team, Google has appointed itself a vanguard of software security and accountability. As such, every so often Project Zero publicizes a security flaw that has gone unpatched for at least 90 days, sometimes at the contentious objection of the company it affects. This time it is Apple and its macOS software that is in Project Zero's spotlight. The security team has discovered what it deems to be a high severity bug in the operating system's kernel, XNU, which allows copy-on-write (COW) behavior in ways that it perhaps should not. "This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, after the destination process... Read more...
Just when news of Spectre and Meltdown has seemingly died down, we're now hearing of a fresh round of exploits that might affect Intel processors. A total of 8 new vulnerabilities have been discovered and are being dubbed Spectre Next Generation, or Spectre-NG for short. Each of the eight vulnerabilities have been assigned their own Common Vulnerability Enumerator (CVE) designation, and each will need to be patched separately according to German publication c't. Intel, which has been notified of Spectre-NG, acknowledges that four of the new exploits are considered "high risk", while the other four are "medium risk". At least one of the vulnerabilities is reportedly even more... Read more...
Google's Project Zero team has discovered a 'medium' security vulnerability that primarily affects Windows 10 S, a stripped down version of Windows 10 that is "streamlined for security and superior performance." While it does not appear to present a major threat to users—remote code execution is not possible in this instance, for example—part of what's interesting here is the ongoing tug-of-war between Project Zero and companies whose products have flaws. Project Zero, you might recall, is the same division of Google that made public Meltdown and Spectre. Under normal conditions, Project Zero gives firms 90 days to fix security flaws it discovers before disclosing them publicly. The... Read more...
Google's Project Zero has been busy uncovering vulnerabilities in a wide range of products and services, most notably rooting out CPU flaws that became known as Spectre and Meltdown. While mitigations are still ongoing, Project Zero continues to look for security issues across the board. The latest one that Project Zero found is a remote code execution vulnerability that exists in uTorrent. The vulnerability exists in both the downloadable desktop client for Windows and the new uTorrent Web service that runs in a browser window and allows users to stream torrents from it. Project Zero points out that by default, the web version is configured to run at startup with Windows, so it's always running... Read more...
Google's Project Zero team has publicly disclosed a security vulnerability in Microsoft's Edge browser for Windows 10 after Microsoft failed to issue a patch in the allotted time. The Project Zero team alerted Microsoft of a bug relating to the browser's Arbitrary Code Guard (ACG) back in November of last year. As is the team's policy, companies generally have 90 days to fix flaws that it discovers before a public disclosure. Image Source: Flickr via okubax In this instance, Microsoft requested and was granted a two-week grace period. Unfortunately Microsoft was still unable to fix the flaw before the extended deadline, so now the details of the bug are public knowledge. With that being the case,... Read more...
If you've been following the tech or security news for the past few days, then you no doubt know of a security vulnerability that reportedly affects all Intel processors. OS vendors have been working to mitigate the issue with kernel patches, but those software Band-Aids can come with some performance handicaps as a side effect. Today, we're learning more about what exactly is going on, and that there are not one, but actually two vulnerabilities that have been disclosed. It's bad enough that one of them targets Intel processors, but the second affects ALL modern processors as well -- including those based on architectures from Intel, AMD and ARM. So, we present to you Meltdown and Spectre.... Read more...
Way back in the day -- dating back to just after the release of the first iPhone -- hackers chipped away at the security defenses in iOS to give users functionality that was lacking in the default software. This practice is known as jailbreaking, and it is something that Apple unsurprisingly frowns upon since it breaks through its “walled garden”. Ian Beer, a researcher working for Google's Project Zero team, announced via a tweet that he has discovered an exploit that could jailbreak devices running iOS 11.1.2 or older. Project Zero is tasked with finding bugs in competing software, as we've seen over the years with the prickly relationship Google has with Microsoft on the matter.... Read more...
Practically everyone who owns a smartphone should be on the lookout for a patch. Both Google and Apple this week released software updates for Android and iOS, respectively, to address a vulnerability discovered in Wi-Fi chipsets developed by Broadcom. If left unpatched, an attacker within range of the same Wi-Fi network could execute malicious code on a person's mobile device. A researcher on Google's Project Zero team discovered the vulnerability and wrote about it in great detail (hit the source link for deep dive into the technical underpinnings of this exploit). Prior to Google releasing a patch for Android, the researcher demonstrated the hack on a fully patched Nexus 6P running Android... Read more...
Security researchers on Google's Project Zero team have discovered critical security flaws in several of Symantec's software security products, including its popular Norton line for consumers and Endpoint Protection for enterprises. No small thing, among the vulnerabilities are several wormable remote code execution flaws."These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption," the Project Zero team said.Since Symantec uses the same core engine... Read more...
Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out bugs in Samsung's Galaxy S6 Edge device, owners are now more secure. In a blog post describing the bug hunt, Project Zero (correctly) notes that the majority of Android devices are not made by Google, but by third-parties known as Original Equipment Manufacturers, or OEMs. Having researched vulnerabilities on Google-made Nexus devices running the Android Open-Source Project (AOSP), Project... Read more...
Google has been hitting tech companies with a few right hooks in recent months with regards to zero day exploits. As a part of Google’s “Project Zero” program, its security researchers discover security vulnerabilities in software products, and report its findings to the vendor. The vendor has 90 days from the time of first disclosure to patch the problem, or Google goes public with the full details of the exploit. At that point, anyone can pour over the details to take advantage of the exploit. Google busted Microsoft’s chops in early January when it failed to adhere to Google’s 90-day window by disclosing a vulnerability that allowed non-administrator account to escalate their privileges to... Read more...
Ahead of its earnings release that is due after the closing bell today, Apple has released two updates for its most prominent operating system. The mobile-centric iOS has been updated to 8.1.3, while the desktop/laptop-centered OS X Yosemite gets an upgrade to 10.10.2. The biggest addition with iOS 8.1.3 is a reduction in the amount of storage space required to install iOS updates. Previous iOS 8 updates have required users to set aside nearly 6GB of free space in order to install. For users stuck with 16GB iPhones and iPads (we still have no clue as to why Apple continues to string users along with such low amounts of onboard storage with no option for external storage), this has hampered their... Read more...
1 2 Next