Articles about Project Zero

Whether Linux distributions are more secure than Windows or macOS is the source of on-going debate, but Google's Project Zero has some interesting findings relating to the patching of security holes.

The security research program at Google has published information relating to security flaws found in software over the course of two years. Between January 2019 and December 2021 the Project Zero team found that Linux developers addresses problems far faster than Apple, Microsoft or Google itself.

Continue reading →

Last month, security researchers at Google's Project Zero released details of a zero-day vulnerability in Windows that was being actively exploited.

Hacklers were taking advantage of a Windows Kernel Cryptography Driver security flaw (CVE-2020-117087) to gain elevated privileges in Windows 7, 8, and 10, as well as Windows Server 2008 and higher. As part of yesterday's Patch Tuesday release, Microsoft has now issued a fix for the vulnerability.

Continue reading →

Google's Project Zero is very quick to point out security flaws in other company's products, but the search giant is far from being perfect itself. Two recently discovered zero-day vulnerabilities in Chrome have just been fixed with a new patch.

CVE-2020-16009 and CVE-2020-16010 are remote code-execution and heap-based buffer overflow flaws respectively and affect both the desktop and Android versions of Google's web browser.

Continue reading →

Security issues are frequently exposed by Google's Project Zero; just days ago, security researchers revealed details of an actively exploited Windows Kernel Cryptography Driver security flaw.

Now Project Zero has released details of a serious security flaw in another Microsoft venture -- GitHub. The bug relates to GitHub Actions' workflow commands and is described as being high severity. It was discovered back in July but, as per the standard 90-day disclosure period, details are only just now being made public.

Continue reading →

Google has shared details of a bug in the Windows Kernel Cryptography Driver (cng.sys) which is currently being exploited in the wild by hackers.

The Project Zero team had already privately shared details of the security flaw with Microsoft a little over a week ago, but now that it is being actively exploited the company has gone public. The zero-day flaw is being tracked as CVE-2020-117087, and it is not likely to be addressed by Microsoft for a couple of weeks.

Continue reading →

The vulnerability-finding Project Zero has found Google on the end of both criticism and praise, but there has long been concern about the policy of being very quick to reveal details of vulnerabilities that have been discovered.

Previously Project Zero has given software developers a 90-day window of opportunity to fix bugs before it goes public. Details of vulnerabilities would also be published as soon as a fix was released. For 2020, Google is trying something new. The company will wait a full 90 days before disclosing a vulnerability, regardless of when the bug is fixed.

Continue reading →

Apple has tried to downplay concerns raised by Google about security vulnerabilities in iOS that could be exploited by malicious websites. Google's Project Zero recently revealed details of flaws in iOS that were being used to target and monitor iPhone users.

Other security researchers went on to warn that the vulnerabilities were being used to target Uyghur Muslims, possibly in a campaign run by the Chinese government. Having remained silent for more than a week after the revelations, Apple finally issued a statement responding to the findings, prompting criticism that the company was trying to downplay the issues.

Continue reading →

If you're a Firefox user, now is the time to update your browser. A zero-day vulnerability has been discovered which is being actively exploited in targeted attacks.

The security hole was revealed via Google's Project Zero, and it affects ALL versions of Firefox. In short, if you have not updated to Firefox 67.0.3 or Firefox ESR 60.7.1, you need to do so right now.

Continue reading →

Google's Project Zero has gone public about a "high severity" flaw in the macOS kernel after Apple failed to patch it 90 days after being told about the problem.

A security researcher discovered a problem in XNU that means it is possible to perform malicious activities. The security bug related to copy-on-write (COW) behavior, enabling an attacker to manipulate filesystem images without the operating system being notified. Apple was informed of the vulnerability back in November, but has failed to release a patch.

Continue reading →

Details of a security flaw in Windows 10 S have been revealed by Google's Project Zero after Microsoft failed to issue a patch within the 90-day disclosure deadline.

The "WLDP CLSID policy .NET COM Instantiation UMCI Bypass" vulnerability is described as being of medium severity, and it allows for the execution of arbitrary code on systems with Device Guard enabled.

Continue reading →

Google has revealed details of a security vulnerability in Microsoft Edge before a patch has been produced. Through Project Zero, Google notified Microsoft about a bug in the browser's Arbitrary Code Guard (ACG) feature back in November, giving the company the usual 90-day disclosure deadline.

Google went further, granting Microsoft a further grace period of two weeks on request, but the vulnerability remains unfixed in Windows 10. As such, details of the "ACG bypass using UnmapViewOfFile" bug have now been made public.

Continue reading →

Over the weekend, two of Google’s Project Zero security researchers announced that they had discovered a "crazy bad" Windows exploit, describing it as the "worst in recent memory."

Project Zero gives firms 90 days to fix such discoveries, but Microsoft swiftly jumped on this problem, and just two days later has come up with a fix.

Continue reading →

Google’s Project Zero identifies bugs and security flaws in commonly used software, and gives firms 90 days to patch them before going public. This is an approach which doesn’t always go down well -- a case in point being when Google recently released details of a Windows bug after Microsoft failed to patch it in time.

Now two Project Zero security researchers claim to have found a new critical remote code execution (RCE) vulnerability in Windows which they describe as the "worst in recent memory" and "crazy bad".

Continue reading →

Not content with publishing details of an unpatched Windows bug, Google has now gone public with a security vulnerability in both Microsoft Edge and Internet Explorer. Going under the description of "Type confusion in HandleColumnBreakOnColumnSpanningElement", the bug has the potential to allow an attacker to execute malicious code.

The vulnerability has been assigned the code CVE-2017-0037, and details of the flaw have been published under the terms of Google's Project Zero. Microsoft was notified about the problem 90 days ago, and as the company failed to patch it Google has made the problem public.

Continue reading →

Google's Project Zero has proved controversial on several occasions already, with the search giant publicly revealing details of software bugs when companies fail to fix them. Now the project has unearthed a bug in Windows, and as Microsoft failed to patch it within 90 days of being notified, details of the flaw have been made available for everyone to see -- and exploit.

A problem with the Windows Graphics Component GDI library (gdi32.dll) means that a hacker could use EMF metafiles to access memory and wreak all sorts of havoc. While Microsoft has issued Security Bulletin MS16-074, Google's Mateusz Jurczyk says it failed to properly address the problem -- hence the public outing of the bug.

Continue reading →