projectzero
Latest
Google discloses 'high severity' Mac security flaw ahead of patch
Google's Project Zero security disclosure program is once again proving to be a double-edged sword. The company has detailed a "high severity" macOS kernel flaw that lets people modify a user-mounted file system image without the virtual management subsystem being any the wiser, theoretically letting an attacker go unnoticed by users. Apple is working on a patch, but the disclosure ahead of the fix could leave Mac users vulnerable until it's ready.
Initial 'Fortnite' Android installer let hackers install malware
When Epic said it would skip the Google Play Store with Fortnite's Android release, it raised eyebrows among security experts. Wasn't it creating risks by encouraging gamers (some of whom didn't understand the potential dangers) to install non-Store apps? Well, it did... although not quite in the way you might have expected. Epic Games has patched a Google-discovered vulnerability in Fortnite's original Android installer that would have let intruders download and install malware. The exploit used a man-in-the-disk attack that took advantage of Epic's initially flawed storage handling to intercept download requests and load nefarious content.
Google found another bug in Microsoft’s Edge browser
Google tasks its Project Zero time with finding security issues and loopholes within other companies' products, and they're pretty effective at what they do. Now, Google has made public a medium-level security issue within Microsoft's Edge browser. The vulnerability was first discovered back in November.
Grammarly patches bug that could expose everything you write (update: not everything)
Grammarly, a copyediting app/extension for Chrome and Firefox that points out typos and grammatical mistakes, had a major bug that allowed any website you visit to log into your account and read everything you ever wrote. It made all your documents, history, logs, tweets and blog posts vulnerable to high-tech snoops. Google's Project Zero, which unearths and tracks vulnerabilities and reports them to software-makers, revealed the bug on February 2nd. Thankfully, the Grammarly team has quickly patched it up and has already auto-updated the program used by over 20 million users.
Meltdown and Spectre CPU flaws threaten PCs, phones and servers
By now you've probably heard about a bug Intel is dealing with that affects processors built since 1995. But according to the people who found "Meltdown" and "Spectre," the errors behind these exploits can let someone swipe data running in other apps on devices using hardware from Intel, ARM and AMD. While server operators (like Amazon) apply Linux patches to keep people from accessing someone else's information that's being executed on the same system, what does this mean for your home computer or phone?
Microsoft just fixed a serious Windows Defender bug
Over the weekend, Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich tweeted about discovering "the worst Windows remote code exec in recent memory." According to Ormandy, it could work against a default installation and even become "wormable" -- able to replicate itself on a targeted machine and then spread to other computers automatically. Now we know more about what the problem is since, in just two days, Microsoft's Security Response Center and Windows Defender developers were able to come up with a fix that is now available via Windows Update for Windows 7, 8.1, RT and 10 (according to Microsoft, the Control Flow Guard security feature lowers the risk of this attack on 8.1 and 10), as well as other versions that IT professionals may be more familiar with.
Critical security flaws found in LastPass on Chrome, Firefox (updated)
Last year Google Project Zero researcher Tavis Ormandy quickly found some "obvious" security problems in the popular password manager LastPass, and now he's done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain."
TrueCrypt Windows encryption app has critical security flaws
If you're still using TrueCrypt to protect your Windows disks, even though its developers abandoned it and said it was "not secure" last year, you may want to stop that. Google Project Zero researcher James Forshaw found two "privilege elevation" holes in the popular software that would give attackers full access to your data. Worse yet, TrueCrypt was audited earlier this by a crowdfunded team of iSec security researchers and found to be error-free. Google's James Forshaw said on Twitter that the miss was understandable, though: "iSec phase 1 audit reviewed this specific code but Windows drivers are complex beasts (and) easy to miss."
Google is giving companies a break on security disclosures
Google's Project Zero is supposed to goad companies into patching software security flaws before they pose a threat, but that's not exactly how the effort has panned out. As Apple and Microsoft will tell you, the strict 90-day disclosure deadline sometimes leaves developers scrambling to finish patches after the details of an exploit go public. Thankfully, Google appears to be listening to those gripes -- the Project Zero team has tweaked its policies to give programmers a better chance at mending holes. Companies now get a 14-day "grace period" to release fixes if they let Google know that the code won't be ready within the usual 90-day window. Also, the folks in Mountain View won't ruin tech workers' days off by revealing vulnerabilities on holidays and weekends.
OS X Yosemite update tackles 'surprise' Mac security flaws
You know those unpatched Mac security exploits that Google revealed a few days ago? You probably won't have to worry about them any more. Apple has released OS X Yosemite 10.10.2, a hefty update that fixes those vulnerabilities, which let an intruder hijack your system in the right circumstances. There's also a solution for Thunderstrike, a nasty (if unlikely) attack that would compromise your computer through a malicious Thunderbolt device. Most of the other 10.10.2 tweaks aren't huge, although you'll probably like having access to iCloud Drive storage in your Time Machine backups. You'll definitely want to grab the upgrade, even if you don't need some of the smaller perks -- it should go quite some distance toward safeguarding your Mac.
Google reveals Mac security holes before Apple's fix is ready
Microsoft isn't the only big tech firm grappling with surprise security flaw disclosures these days. Google's Project Zero security unit revealed at least two unpatched vulnerabilities in OS X (Yosemite appears to have mitigated a third) that theoretically help attackers take control of your Mac. The search company says it privately notified Apple about the holes back in October, but automatically published the details after Project Zero's usual 90-day cutoff period. Apple's usual policy is to decline comment on exploits like this until it has a solution. However, relief is at least relatively close -- iMore reports that an upcoming Yosemite update (10.10.2) is expected to tackle these flaws. The main question is whether or not Apple can deliver its fix before malware writers find a way to use those bugs for sinister purposes.
Google posts Windows 8.1 vulnerability before Microsoft can patch it
Google's Project Zero tracks vulnerabilities in software systems and reports them to vendors "in as close to real-time as possible" -- a noble cause, no? But what happens if said vendor then fails to push a fix within the 90-day window? Microsoft just found out: Google will go ahead and publish the bug anyway, complete with code that can be used to exploit it. A researcher found a Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they'd normally have no right to. Though it remains unpatched by Microsoft, the Zero team published it several days ago -- right on schedule.
