Ever since 2014, Google’s Project Zero has been finding and disclosing software vulnerabilities in some of the world’s biggest programs, and a few of their recently discoveries have show just how important their work is to everyone.
Windows
Late last month the Project Zero team discovered a Windows vulnerability that is being *actively exploited in the wild*.
The flaw, in Windows 7 and Window 10, allows an attacker to escalate system privileges. It was being used in conjunction with a Google Chrome vulnerability (recently patched) that allowed an attacker to escape the “security sandbox” that browsers create to prevent malicious code being run on a user’s machine.
While the Chrome vulnerability was patched in late October, the Windows fix didn’t occur until November 10, so make sure you update now if you haven’t yet. (Or, you could try out a Linux system).
iOS
Project Zero also discovered three flaws in iOS and MacOS over the past few weeks. All of these flaws were also being actively exploited in the wild.
These three flaws were all quite severe, they included:
- Code execution using maliciously-crafted fonts
- An app can obtain locations in kernel memory
- A bug could allow code to run with highly-privileged system rights.
The small amount of good news is that these attacks had to be targeted. These would not be sprayed around the internet (or App Store) haphazardly, but they would be used to go after specific persons of interest.
These were all patched in Apple’s iOS 14.2 release and in MacOS 10.15.7. Again, make sure that your software is up-to-date. While Google hasn’t released the specifics of this vulnerability, now that attackers know it is out there, they will almost certainly start looking for it.
You can read some more about Google’s Project Zero over at their website.
