Webtagr - Technology News Summarizer

Project Zero's Deep Dive into Windows Registry: 2 Years, 53 CVEs

2025-05-28

Mateusz Jurczyk of Google Project Zero spent two years deeply researching the Windows Registry, uncovering 53 CVEs in the process. His research highlights the complexity of the registry as a local privilege escalation attack surface, detailing security issues stemming from its large, legacy codebase written in C. The research covers various vulnerability classes including memory corruption, information disclosure, and logic bugs, analyzing various attack entry points such as hive loading, app hives, and direct system calls. The research also emphasizes how the registry's self-healing mechanisms impact security auditing, and the challenges of unclear boundaries between strict format requirements and conventions. Finally, the post summarizes exploitation primitives and discusses strategies and difficulties in registry fuzzing.

(googleprojectzero.blogspot.com)

Development Registry Vulnerabilities

Type Confusion Vulnerability in macOS coreaudiod Daemon

2025-05-19

A Google Project Zero security engineer discovered and exploited a high-risk type confusion vulnerability in macOS's coreaudiod daemon using a knowledge-driven fuzzing approach. The vulnerability resides in Mach IPC message handling, allowing attackers to manipulate Mach messages to bypass sandbox restrictions, potentially leading to code execution. The researcher open-sourced their custom fuzzing harness and detailed the exploitation process and Apple's fix.

(googleprojectzero.blogspot.com)

Development

Exploiting a Type Confusion Vulnerability in macOS's coreaudiod Daemon

2025-05-14

This blog post details the author's journey in discovering and exploiting a high-risk type confusion vulnerability in macOS's coreaudiod system daemon. Using a custom fuzzing harness, dynamic instrumentation, and static analysis, the author, a security engineer at Google Project Zero, uncovered a sandbox escape vulnerability. The research employed a knowledge-driven fuzzing approach, combining automated fuzzing with targeted manual reverse engineering. The vulnerability, CVE-2024-54529, has since been patched by Apple.

(googleprojectzero.blogspot.com)

Development macOS security type confusion

Dissecting NSO's BLASTPASS: A Zero-Click iOS Exploit

2025-03-27

Ian Beer of Google Project Zero details the analysis of NSO Group's BLASTPASS iMessage exploit. This zero-click attack chain leveraged a maliciously crafted WebP image disguised as a PassKit attachment to bypass the iMessage sandbox. Exploiting a Huffman coding vulnerability in the lossless WebP format, the attackers triggered memory corruption. A sophisticated 5.5MB bplist heap groom within a MakerNote EXIF tag facilitated memory overwriting during TIFF image rendering. This triggered a forged CFReadStream's destructor, executing malicious code. The attack cleverly exploited vulnerabilities in ImageIO and Wallet, bypassing BlastDoor sandbox and Pointer Authentication Codes (PAC). HomeKit traffic may have been used for ASLR disclosure. The analysis reveals the complex techniques used, highlighting the need for robust sandbox mechanisms and a reduced remote attack surface.

(googleprojectzero.blogspot.com)

Tech iOS vulnerability zero-click exploit NSO Group

Multiple Vulnerabilities in Qualcomm DSP Driver Raise Security Concerns

2024-12-16

Google's Project Zero team discovered six vulnerabilities in a Qualcomm DSP driver, one of which was exploited in the wild. Analysis of kernel panic logs provided by Amnesty International, without access to the exploit sample itself, revealed the flaws. A code review uncovered multiple memory corruption vulnerabilities, including use-after-free and refcount leaks. The attacker likely leveraged these vulnerabilities with inotify_event_info object heap spraying to achieve code execution. This highlights the critical need for improved security in Android's third-party drivers.

(googleprojectzero.blogspot.com)

Tech Qualcomm DSP driver vulnerabilities