One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is the final part 4 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape...

A walk through Project Zero metrics

Posted by Ryan Schoen, Project Zero tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the average now being well below the 90-day deadline, w...

Adventures in vulnerability reporting

Posted by Natalie Silvanovich, Project Zero At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since i...

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post discusses our motivations behind the research, our approach in looking for...

One Perfect Bug: Exploiting Type Confusion in Flash

Posted by Natalie Silvanovich, Dazed and Type Confused For some attackers, it is important that an exploit be extremely reliable. That is to say, the exploit should consistently lead to code execution when it is run on a system with a known platform and Flash version. One way to create such an...

pwn4fun Spring 2014 - Safari - Part II

Posted by Ian Beer TL;DR An OS X GPU driver trusted a user-supplied kernel C++ object pointer and called a virtual function. The IOKit registry contained kernel pointers which were used defeat kASLR. A kernel ROP payload ran Calculator.app as root using a convenient kernel API. Overview of part I...

Did the “Man With No Name” Feel Insecure?

Posted by James Forshaw, Taker of Names Sometimes when I'm doing security research I'll come across a bug which surprises me. I discovered just such a bug in the Windows version of Chrome which exposed a little-known security detail in the OS. The bug, CVE-2014-3196 was fixed in M38, so it seemed...

The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit

Posted by Seth Jenkins, Google Project Zero This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group TAG from Amnesty International. Amnesty’s report on these exploits is available here. Thanks to both Amnesty International and Google's...

MTE As Implemented, Part 3: The Kernel

By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. In Part 1 we discussed testing the technical and implementation limitations of MTE on the hardware...

Significant Flash exploit mitigations are live in v18.0.0.209

Posted by Mark Brand and Chris Evans, isolators of heaps Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can d...

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

Posted by Seth Jenkins We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. Whil...

The Windows Registry Adventure #4: Hives and the registry layout

Posted by Mateusz Jurczyk, Google Project Zero To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit abbreviated as HKCR, HKLM, HKCU, HKU and HKCC, and each of them contains a nested tree structure that serv...

The Windows Registry Adventure #3: Learning resources

Posted by Mateusz Jurczyk, Google Project Zero When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. This gets especially interesting when it's a subsystem as old and fundamental as the Windows registry...

Exploiting null-dereferences in the Linux kernel

Posted by Seth Jenkins, Project Zero For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for...

Announcing the Fuzzilli Research Grant Program

Posted by Samuel Groß, Project Zero Project Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those...

OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB

Posted by Jann Horn, Google Project Zero Recently, there has been some attention around the topic of physical attacks on smartphones, where an attacker with the ability to connect USB devices to a locked phone attempts to gain access to the data stored on the device. This blogpost describes how...

task_t considered harmful

Posted by Ian Beer, Project Zero This post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS 10.1. We’ll look at the bugs, how they can be exploited to...

The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post, we focused on the general security analysis of the registry and how to effectively approach finding vulnerabilities in it. Here, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e.,...

The Windows Registry Adventure #7: Attack surface analysis

Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this...

Searching statically-linked vulnerable library functions in executable code

Helping researchers find 0ld days Posted by Thomas Dullien, Project Zero Executive summary Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables. This blog post discusses the technical details ...

How to Compromise the Enterprise Endpoint

Posted by Tavis Ormandy. Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we’re publishing...

Exploiting CVE-2014-0556 in Flash

Posted by Chris Evans, Kidnapper of RIP A couple of weeks ago, Adobe released security bulletin APSB14-21, including 8 fixes for bugs reported by Project Zero. Full details of these bugs are now public in our bug tracker. Some of the more interesting ones are a double free in the RTMP protocol, o...

Examining Pointer Authentication on the iPhone XS

Posted by Brandon Azad, Project Zero In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel...

Windows Sandbox Attack Surface Analysis

Posted by James Forshaw, Quartermaster of Tools Analysing the attack surface of user-mode sandboxed applications is a good way to hunt for elevation of privilege vulnerabilities. Much of the task of enumerating the attack surface could be done manually, but that’s a very tedious and error prone...

The Windows Registry Adventure #2: A brief history of the feature

Posted by Mateusz Jurczyk, Google Project Zero Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values",...

Policy and Disclosure: 2021 Edition

Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the broader industry. We aim to be a vulnerability research...

BitUnmap: Attacking Android Ashmem

Posted by Gal Beniamini, Project Zero The law of leaky abstractions states that “all non-trivial abstractions, to some degree, are leaky”. In this blog post we’ll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result i...

One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is part 3 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability, discussed the Charstring primitives necessary to fully control the stack contents...

MTE As Implemented, Part 2: Mitigation Case Studies

By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. In Part 1 we discussed testing the technical and implementation limitations of MTE on the hardware...

Enter the Vault: Authentication Issues in HashiCorp Vault

Posted by Felix Wilhelm, Project Zero Introduction In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services AWS and Google Cloud Platform GCP. These issues can lead to an authentication bypass in configurations that use the aws and gcp aut...

aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript

by Ivan Fratric, Thomas Dullien, James Forshaw and Steven Vittitoe Intro Many widely-deployed technologies, viewed through 20/20 hindsight, seem like an odd or unnecessarily risky idea. Engineering decisions in IT are often made with imperfect information and under time pressure, and some odditie...

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Posted by Natalie Silvanovich Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to...

First handset with MTE on the market

By Mark Brand, Google Project Zero Introduction It's finally time for me to fulfill a long-standing promise. Since I first heard about ARM's Memory Tagging Extensions, I've said to far too many people at this point to be able to back out… that I'd immediately switch to the first available device...

Oops, I missed it again!

Written by Brandon Azad, when working at Project Zero This is a quick anecdotal post describing one of the more frustrating aspects of vulnerability research: realizing that you missed a bug that was staring you in the face only once you see the patched version! Some suspicious code After writing...

Heap Feng Shader: Exploiting SwiftShader in Chrome

Posted by Mark Brand, Google Project Zero On the majority of systems, under normal conditions, SwiftShader will never be used by Chrome - it’s used as a fallback if you have a known-bad “blacklisted” graphics card or driver. However, Chrome can also decide at runtime that your graphics driver is...

One font vulnerability to rule them all #2: Adobe Reader RCE exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is part 2 of the “One font vulnerability to rule them all” blog post series. In part 1 “introducing the BLEND vulnerability”, we discussed how developments in the digital typography field in the last four decades shaped the various font format...

Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332

Posted by Lee Campbell, Graphics Pwning Unit This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Background: Chrome for Android implements a very different sandbox model to that of Chrome for Linux. One of the platform features w...

Welcome to the new Project Zero Blog

Posted by Natalie Silvanovich While on Project Zero, we aim for our research to be leading-edge, our blog design was … not so much. We welcome readers to our shiny new blog! For the occasion, we asked members of Project Zero to dust off old blog posts that never quite saw the light of day. And...

Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages

Guest post by Dillon Franke, Senior Security Engineer, 20% time on Project Zero Every second, highly-privileged MacOS system daemons accept and process hundreds of IPC messages. In some cases, these message handlers accept data from sandboxed or unprivileged processes. In this blog post, I’ll...

Blasting Past Webp

An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On September 7, 2023 Apple issued an out-of-band security update for iOS: Around the same time on September 7th 2023, Citizen Lab published a blog post linking the two CVEs fixed in iOS 16.6.1 to an "NSO Gro...

Calling Local Windows RPC Servers from .NET

Posted by James Forshaw, Project Zero As much as I enjoy finding security vulnerabilities in Windows, in many ways I prefer the challenge of writing the tools to make it easier for me and others to do the hunting. This blog post gives an overview of using some recent tooling I’ve released as part...

The story of Adobe Reader symbols

Posted by Mateusz Jurczyk, Project Zero Modern day security analysis of client applications is often hindered by the inaccessibility of their source code and other aids such as debug symbols. As a result, it is necessary to perform completely black-box reverse engineering of the software, in orde...

A year of Windows kernel font fuzzing #2: the techniques

Posted by Mateusz Jurczyk of Google Project Zero In part 1 of the series see here, we discussed the motivation and outcomes of our year long fuzzing effort against the Windows kernel font engine, followed by an analysis of two bug collisions with Keen Team and Hacking Team that ensued as a result...

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

Posted by Natalie Silvanovich While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Andro...

Project Zero Prize Conclusion

Posted by Natalie Silvanovich, Project Zero On September 13, 2016 we announced the Project Zero Prize. It concluded last week with no prizes awarded. The purpose of this post is to discuss what happened and what we learned about hacking contest design. Throughout the contest, we did not receive a...

Chrome OS exploit: one byte overflow and symlinks

The following article is an guest blog post from an external researcher i.e. the author is not a Project Zero or Google researcher. This post is about a Chrome OS exploit I reported to Chrome VRP in September. The Project Zero folks were nice to let me do a guest post about it, so here goes. The...

FireEye Exploitation: Project Zero’s Vulnerability of the Beast

Posted by Tavis Ormandy, Chief Silver Bullet Skeptic. FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet...

Summary: MTE As Implemented

By Mark Brand, Project Zero In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the...

MTE As Implemented, Part 1: Implementation Testing

By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing thi...

Escaping the Chrome Sandbox with RIDL

Guest blog post by Stephen Röttger tl;dr: Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is u...