latest
Google's Project Zero is changing its vulnerability disclosure timeline to give time for fixes to roll out
Project Zero is trialing a new model to disclose vulnerabilites that will give more time to OEMs to roll out patches to affected users.
Google’s Project Zero team is announcing some big changes to how it discloses security vulnerabilities to the public. Since its launch, Project Zero has followed a strict 90-day disclosure deadline. What this means is when a vulnerability is found, Project Zero will wait 90 days before publicly documenting the technical details. This allows vendors to patch the flaw in their software before attackers can exploit it.
Google fixes two more zero-day Chrome flaws that were already being exploited
Google has patched a pair of zero-day flaws in its Chrome browser which were already actively being exploited in the wild.
Google’s Project Zero white-hat hacker squad has patched two new zero-day bug fixes for vulnerabilities in the Chrome Browser, already being actively exploited in the wild — the third time in two weeks the team has had to patch a live vulnerability in the world’s most used web browser.
Google's Project Zero security team will now wait 90 days to disclose any vulnerabilities they find
Google's Project Zero security team will now wait out the full 90-days before disclosing vulnerabilities that they discover.
Project Zero is a security division employed by Google, which was founded in 2014. The team's primary mission is to discover zero-day vulnerabilities - that is, vulnerabilities that are unknown (or unaddressed by) the party which should be interested in its mitigation. "Heartbleed" is one such zero-day exploit, which was privately reported by two separate security teams to OpenSSL. One of these security teams operated under Google and eventually led to the creation of Project Zero. The bug was discovered in April of 2014, a build of OpenSSL with the bug fixed was released a few days later along with full disclosure of the bug. This full disclosure meant that systems not updated immediately were at risk, though that generally serves as a motivation for developer teams to update their software.
Google's Project Zero Discovered how to Bypass Samsung's Knox Hypervisor (Fixed in January Patch)
In the latest Project Zero blog post, the team has discovered a way to bypass Samsung's real-time kernel protection, called the Knox Hypervisor.
Google's Project Zero team has verified a number of exploits that enable Samsung's phones running the supposedly-secure Samsung Knox security suite to be attacked. The blog notes that all vulnerabilities have been passed to Samsung who has actually released fixes for them in a January software update.
New Rowhammer Exploits use Hardware Vulnerabilities to Root LG, Samsung, and Motorola Devices
New Rowhammer exploit successfully roots LG, Samsung, and Motorola devices using bit-flips. The exploit was previously thought to be unviable.
Google is constantly at war with hackers seeking to maliciously exploit security vulnerabilities in their products. Back in the middle of 2014, Google assembled a team of security analysts called 'Project Zero' to report zero-day exploits to the company so they can be patched before any nefarious third-party can take advantage of the undisclosed security hole. One such vulnerability, dubbed the 'Rowhammer' exploits, involves repeatedly accessing a row of memory to cause 'bit-flips' in adjacent rows of memory. This exploit occurs in some DRAM devices and can be used to gain read-write privileges to all of physical memory even within a user-space process.