Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here:
"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).
It looks like we won't be able to use the Apple "Security Research Device" due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy.
After 12 years at Google, it's time to say goodbye! Watching the growth and achievements of the Google security team over the past 12 years has been an incredible experience. Important problems, and a bunch of amazing people. For me though, it's time to try something new. 1/3
Project Zero is hiring! Vulnerability research, exploit development, tooling development, and using security research results to drive long-term improvements in software/hardware security.
This is a list of the most commonly exploited vulnerabilities between 2016 and 2019, from CISA and FBI. Unfortunately they didn't share their methodology, but let's take a closer look at the CVEs, because I think the list shows an interesting trend.
Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here:
Excited to welcome
@NedWilliamson
to Project Zero today! A keen viewer might have noticed that Ned was previously working with us on a 20% project, but now will be joining the team full time. Welcome, Ned!
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here:
ANNOUNCEMENT: The first 5 Briefings selected for
#BHUSA
2019 have just been posted. Lots more to come, but check out these abstracts for an early sampling
Project Zero blog post: "Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege" by James Forshaw (
@tiraniddo
) -
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android.
We'll continue to research Apple platforms and provide Apple with all of our findings, because we think that's the right thing to do for user security. But I'll confess, I'm pretty disappointed.
I'm very excited to be switching to a "technical lead" role at Project Zero! Tim Willis (
@itswillis
) will be taking over our team management role, and I'll continue working with Tim on leadership stuff, but with more of a research focus overall. (1/2)
Next up for me: a short break to enjoy the summer here in San Diego, and then I'll be starting my own company focused on application security -- a new set of challenges! 3/3
Nice new WiFi remote iOS bug from
@i41nbeer
today, CVE-2020-3843. "Currently this poc demonstrates the ability to remotely dump device physical memory regions
over the air with no user interaction on iPhone 11 Pro running iOS 13.3."
New blog post series from
@5aelo
on exploiting the WebKit JIT engine! Part 1 (introducing a JIT engine bug): Part 2 (getting arbitrary read/write): Part 3 (bypassing PAC and the final exploit):
"How to Build a Fuzzing Corpus" introduces some of the basic theory behind using a seed corpus for fuzzing, and answers three key questions: what is a seed corpus, why are they useful, and how can we build one from scratch?
I think we first asked Apple for a security research test device in 2014 or early 2015. And since then we've reported over 350 security vulnerabilities to Apple.
I just posted an article called "The Legacy of Stagefright" which explores the impact that the Stagefright vulnerabilities had on Android platform security:
Talking to
@5aelo
about this recently, it sounded like Apple put a non-trivial amount of effort in to improving iMessage security in iOS 14 (IIRC: a significant rewrite, reduction of native code, better sandboxing, breaking the read receipts oracle, and fixing some PAC bypasses).
New Isosceles blog: -- "An Introduction to Exploit Reliability" is a short, high-level overview of exploit reliability from a defensive point-of-view. What is exploit reliability? What can defenders do to make writing a reliable exploit harder?
Our good friend
@_bazad
has a few things left over in the Project Zero publishing pipeline -- "it's really easy to miss bugs, even ones that you feel should have been obvious".
What is a "good" Linux Kernel bug? "In the world of vulnerability research, we like to call bugs 'good' if they're bad, and 'bad' if they're either boring or completely catastrophic."
I'm particularly proud of my team at Project Zero. The past 8 years have been one huge adventure, and I've had the best companions along the way. I'm just so genuinely grateful to have been a part of this team. Keep making great art, and I'll see you all soon! 2/3
Welcome Tim Willis (
@itswillis
) to Project Zero! Tim will be working as an engineering manager/team lead in our Zurich office, initially focusing on partnerships, policy, and strategy. Will this be the moment that Tim finally starts using Twitter? Only time will tell...