Google reveals sophisticated Italian spyware campaign targeting victims in Italy, Kazakhstan

The campaign is just the latest example of the increasingly sophisticated world of private zero-day exploit development, researchers said.

The post Google reveals sophisticated Italian spyware campaign targeting victims in Italy, Kazakhstan appeared first on CyberScoop.

Continue reading Google reveals sophisticated Italian spyware campaign targeting victims in Italy, Kazakhstan

Zero-day exploits found and disclosed hit a record high in 2021, Google Project Zero says

There were 58 total. The good news: Detection and disclosure of zero-day exploits have increased, the research team says.

The post Zero-day exploits found and disclosed hit a record high in 2021, Google Project Zero says appeared first on CyberScoop.

Continue reading Zero-day exploits found and disclosed hit a record high in 2021, Google Project Zero says

Project Zero researchers see promising trends in vulnerability fixes

Big tech vendors generally are remediating serious bugs faster than they were three years ago, according to a new report from Google’s Project Zero. The data — while limited to vulnerabilities the group itself reported between January 2019 and December 2021, and influenced by what the group’s researchers have chosen to pursue — offers “a number of promising trends,” according to Ryan Schoen of Project Zero. “Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed,” he wrote. In 2021 there was not “a single 90 day deadline exceeded,” which could be because responsible disclosure policies are becoming more standard across the industry, “and vendors are more equipped to react rapidly to reports with differing deadlines,” he wrote. Under the team’s vulnerability disclosure policy, it privately tells a vendor about a bug first, […]

The post Project Zero researchers see promising trends in vulnerability fixes appeared first on CyberScoop.

Continue reading Project Zero researchers see promising trends in vulnerability fixes

Bad patching practices are a breeding ground for zero-day exploits, Google warns

Customers of major software vendors take comfort whenever a vendor issues a security fix for a critical software vulnerability. The clients expect that software update to keep attackers from stealing sensitive information. But new data from Google’s elite hacking team, Project Zero, suggests that assumption is misplaced. One in four “zero-day,” or previously unknown, software exploits that the Google team tracked in 2020 might have been avoided “if a more thorough investigation and patching effort were explored,” Project Zero researcher Maddie Stone said Wednesday. In some cases, the attackers only changed a line or two of code to turn their old exploit into a new one. Many of the zero-day exploits were for popular internet browsers like Chrome, Firefox or Safari, exposing an array of users around the world. Project Zero’s sample size is modest, covering just 24 exploits in all. But the data points to a need for greater […]

The post Bad patching practices are a breeding ground for zero-day exploits, Google warns appeared first on CyberScoop.

Continue reading Bad patching practices are a breeding ground for zero-day exploits, Google warns

Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom?

Google revealed a novel, complex, well-engineered campaign of targeted attacks. But there are more questions than answers.
The post Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom? appeared first on Security Boulevard.
Continue reading Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom?

An iOS exploit that enables iPhone takeover is described in cybersecurity researcher’s ‘work of art’

If there’s one thing to read this week about Apple security, it’s researcher Ian Beer’s massive, spirited and highly detailed account of how he developed a powerful tool for breaking into nearby iPhones. The piece, “An iOS zero-click radio proximity exploit odyssey,” earned Beer high praise for his persistence in working out the attack, as well as thorough reporting of how he did it. He posted the magnum opus Tuesday on the blog for Google Project Zero, the tech giant’s team of zero-day hunters. Beer — known as one of the most skilled iOS hackers around — makes some things clear up top: The vulnerability was reported to Apple before the company launched coronavirus contact-tracing technology on iPhones in May. And no one should ever be lulled into a false sense of security, he says, when it comes to mobile devices. “The takeaway from this project should not be: no one will […]

The post An iOS exploit that enables iPhone takeover is described in cybersecurity researcher’s ‘work of art’ appeared first on CyberScoop.

Continue reading An iOS exploit that enables iPhone takeover is described in cybersecurity researcher’s ‘work of art’

iPhone Bug Allowed for Complete Device Takeover Over the Air

Researcher Ian Beer from Google Project Zero took six months to figure out the radio-proximity exploit of a memory corruption bug that was patched in May. Continue reading iPhone Bug Allowed for Complete Device Takeover Over the Air

Facebook Messenger Bug Allows Spying on Android Users

The company patched a vulnerability that could connected video and audio calls without the knowledge of the person receiving them. Continue reading Facebook Messenger Bug Allows Spying on Android Users

2 More Google Chrome Zero-Days Under Active Exploitation

Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution. Continue reading 2 More Google Chrome Zero-Days Under Active Exploitation