page =
url = https://googleprojectzero.blogspot.com
project zero
Understanding Network Access in Windows AppContainers (Aug)
An EPYC escape: Case-study of a KVM breakout (Jun)
Designing sockfuzzer, a network syscall fuzzer for... (Apr)
Policy and Disclosure: 2021 Edition (Apr)
Who Contains the Containers? (Apr)
In-the-Wild Series: October 2020 0-day discovery (Mar)
Déjà vu-lnerability (Feb)
A Look at iMessage in iOS 14 (Jan)
Windows Exploitation Tricks: Trapping Virtual Memo... (Jan)
The State of State Machines (Jan)
Hunting for Bugs in Windows Mini-Filter Drivers (Jan)
In-the-Wild Series: Android Post-Exploitation (Jan)
In-the-Wild Series: Windows Exploits (Jan)
In-the-Wild Series: Android Exploits (Jan)
In-the-Wild Series: Chrome Infinity Bug (Jan)
In-the-Wild Series: Chrome Exploits (Jan)
Introducing the In-the-Wild Series (Jan)
An iOS hacker tries Android (Dec)
An iOS zero-click radio proximity exploit odyssey (Dec)
Oops, I missed it again! (Nov)
Enter the Vault: Authentication Issues in HashiCor... (Oct)
Announcing the Fuzzilli Research Grant Program (Oct)
Attacking the Qualcomm Adreno GPU (Sep)
JITSploitation I: A JIT Bug (Sep)
JITSploitation II: Getting Read/Write (Sep)
JITSploitation III: Subverting Control Flow (Sep)
MMS Exploit Part 5: Defeating Android ASLR, Gettin... (Aug)
Exploiting Android Messengers with WebRTC: Part 3 (Aug)
MMS Exploit Part 4: MMS Primer, Completing the ASL... (Aug)
The core of Apple is PPL: Breaking the XNU kernel'... (Jul)
One Byte to rule them all (Jul)
Root Cause Analyses for 0-day In-the-Wild Exploits (Jul)
Detection Deficit: A Year in Review of 0-days Used... (Jul)
MMS Exploit Part 3: Constructing the Memory Corrup... (Jul)
MMS Exploit Part 2: Effective Fuzzing of the Qmage... (Jul)
MMS Exploit Part 1: Introduction to the Samsung Qm... (Jul)
How to unc0ver a 0-day in 4 hours or less (Jul)
FF Sandbox Escape (CVE-2020-12388) (Jun)
A survey of recent iOS kernel exploits (Jun)
Fuzzing ImageIO (Apr)
You Won't Believe what this One Line Change Did to... (Apr)
TFW you-get-really-excited-you-patch-diffed-a-0day... (Apr)
Escaping the Chrome Sandbox with RIDL (Feb)
Mitigations are attack surface, too (Feb)
A day^W^W Several months in the life of Project Ze... (Feb)
Part II: Returning to Adobe Reader symbols on macOS (Jan)
Remote iPhone Exploitation Part 3: From Memory Cor... (Jan)
Remote iPhone Exploitation Part 2: Bringing Light ... (Jan)
Remote iPhone Exploitation Part 1: Poking Memory v... (Jan)
Calling Local Windows RPC Servers from .NET (Dec)
SockPuppet: A Walkthrough of a Kernel Exploit for ... (Dec)
Bad Binder: Android In-The-Wild Exploit (Nov)
KTRW: The journey to build a debuggable iPhone (Oct)
The story of Adobe Reader symbols (Oct)
Windows Exploitation Tricks: Spoofing Name... (Sep)
A very deep dive into iOS Exploit chains found in ... (Aug)
In-the-wild iOS Exploit Chain 1 (Aug)
Implant Teardown (Aug)
JSC Exploits (Aug)
The Many Possibilities of CVE-2019-8646 (Aug)
Down the Rabbit-Hole... (Aug)
The Fully Remote Attack Surface of the iPhone (Aug)
Windows Exploitation Tricks: Abusing the User-Mode... (Apr)
Virtually Unlimited Memory: Escaping the Chrome Sa... (Apr)
Splitting atoms in XNU (Apr)
Windows Kernel Logic Bug Class: Access Mode Mismat... (Mar)
Android Messaging: A Few Bugs Short of a Chain (Mar)
The Curious Case of Convexity Confusion (Feb)
Examining Pointer Authentication on the iPhone XS (Feb)
voucher_swap: Exploiting MIG reference counting in... (Jan)
Taking a page from the kernel's book: A TLB issue ... (Jan)
On VBScript (Dec)
Searching statically-linked vulnerable library fun... (Dec)
Adventures in Video Conferencing Part 5: Where Do ... (Dec)
Adventures in Video Conferencing Part 4: What Didn... (Dec)
Adventures in Video Conferencing Part 3: The Even ... (Dec)
Adventures in Video Conferencing Part 2: Fun with ... (Dec)
Adventures in Video Conferencing Part 1: The Wild ... (Dec)
Injecting Code into Windows Protected Processes us... (Nov)
Heap Feng Shader: Exploiting SwiftShader in Chrome (Oct)
Deja-XNU (Oct)
365 Days Later: Finding and Exploiting Safari Bugs... (Oct)
A cache invalidation bug in Linux memory management (Sep)
OATmeal on the Universal Cereal Bus: Exploiting An... (Sep)
The Problems and Promise of WebAssembly (Aug)
Windows Exploitation Tricks: Exploiting Arbitrary ... (Aug)
Adventures in vulnerability reporting (Aug)
Drawing Outside the Box: Precision Issues in Graph... (Jul)
Detecting Kernel Memory Disclosure – Whitepaper (Jun)
Reading privileged memory with a side-channel (Jan)
aPAColypse now: Exploiting Windows 10 in a Local N... (Dec)
Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi... (Oct)
Using Binary Diffing to Discover Windows Kernel Me... (Oct)
The Great DOM Fuzz-off of 2017 (Sep)
Bypassing VirtualBox Process Hardening on Windows (Aug)
Windows Exploitation Tricks: Arbitrary Directory C... (Aug)
Trust Issues: Exploiting TrustZone TEEs (Jul)
Exploiting .NET Managed DCOM (Apr)
Exception-oriented exploitation on iOS (Apr)
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (P... (Apr)
Notes on Windows Uniscribe Fuzzing (Apr)
Pandavirtualization: Exploiting the Xen hypervisor (Apr)
Project Zero Prize Conclusion (Mar)
Attacking the Windows NVIDIA Driver (Feb)
Lifting the (Hyper) Visor: Bypassing Samsung’s Rea... (Feb)
Chrome OS exploit: one byte overflow and symlinks (Dec)
BitUnmap: Attacking Android Ashmem (Dec)
Breaking the Chain (Nov)
task_t considered harmful (Oct)
Announcing the Project Zero Prize (Sep)
Return to libstagefright: exploiting libutils on A... (Sep)
A Shadow of our Former Self (Aug)
A year of Windows kernel font fuzzing #2: the tech... (Jul)
How to Compromise the Enterprise Endpoint (Jun)
A year of Windows kernel font fuzzing #1: the results (Jun)
Exploiting Recursion in the Linux Kernel (Jun)
Life After the Isolated Heap (Mar)
Race you to the kernel! (Mar)
Exploiting a Leaked Thread Handle (Mar)
The Definitive Guide on Win32 to NT Path Conversion (Feb)
Racing MIDI messages in Chrome (Feb)
Raising the Dead (Jan)
FireEye Exploitation: Project Zero’s Vulnerability... (Dec)
Between a Rock and a Hard Link (Dec)
Windows Sandbox Attack Surface Analysis (Nov)
Hack The Galaxy: Hunting Bugs in the Samsung Galax... (Nov)
Windows Drivers are True’ly Tricky (Oct)
Revisiting Apple IPC: (1) Distributed Objects (Sep)
Kaspersky: Mo Unpackers, Mo Problems. (Sep)
Stagefrightened? (Sep)
Enabling QR codes in Internet Explorer, or a story... (Sep)
Windows 10^H^H Symbolic Link Mitigations (Aug)
One font vulnerability to rule them all #4: Window... (Aug)
Three bypasses and a fix for one of Flash's Vector... (Aug)
Attacking ECMAScript Engines with Redefinition (Aug)
One font vulnerability to rule them all #2: Adobe ... (Aug)
One font vulnerability to rule them all #1: Introd... (Jul)
One Perfect Bug: Exploiting Type Confusion in Flash (Jul)
Significant Flash exploit mitigations are live in ... (Jul)
From inter to intra: gaining reliability (Jul)
When ‘int’ is the new ‘short’ (Jul)
What is a "good" memory corruption vulnerability? (Jun)
Analysis and Exploitation of an ESET Vulnerability (Jun)
Owning Internet Printing - A Case Study in Modern ... (Jun)
Dude, where’s my heap? (Jun)
A Tale of Two Exploits (Apr)
Taming the wild copy: Parallel Thread Corruption (Mar)
Exploiting the DRAM rowhammer bug to gain kernel p... (Mar)
Feedback and data-driven updates to Google’s discl... (Feb)
(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$) (Feb)
A Token’s Tale (Feb)
Exploiting NVMAP to escape the Chrome sandbox - CV... (Jan)
Finding and exploiting ntpd vulnerabilities (Jan)
Internet Explorer EPM Sandbox Escape CVE-2014-6350 (Dec)
pwn4fun Spring 2014 - Safari - Part II (Nov)
Project Zero Patch Tuesday roundup, November 2014 (Nov)
Did the “Man With No Name” Feel Insecure? (Oct)
More Mac OS X and iPhone sandbox escapes and kerne... (Oct)
Exploiting CVE-2014-0556 in Flash (Sep)
The poisoned NUL byte, 2014 edition (Aug)
What does a pointer look like, anyway? (Aug)
Mac OS X and iPhone sandbox escapes (Jul)
pwn4fun Spring 2014 - Safari - Part I (Jul)
Announcing Project Zero (Jul)