Google's team of security vulnerability search specialists Project Zero has been on the run for some time to decrypt a set of computer hacks that have compromised several mobile and computer operating systems during the year 2020.
Namely Android, Windows and iOS. Of this vulnerability detected by Project Zero researchers, 3 of these security vulnerabilities could offer hackers the opportunity to benefit from actions through the iOS safari browser or Google Chrome. They are in their wake nearly 4 critical security flaws that were described by the researchers.
This article will also interest you: A zero-day flaw discovered on Google's Chrome browser
It was at the beginning of the year that these researchers decided to begin explaining this security flaw. This follows an observation of a wave of computer attacks on several operating systems at once. First of all, it started with the explanation of 4 critical security flaws at the base of this computer attack chain namely:
– CVE-2020-6428 (TurboFan in Chrome);
– CVE-2020-1020 (Font in Windows);
– CVE-2020-1027 (WindowsCSRSS).
Recently, Google researchers have been explaining the other flaws:
"Vulnerabilities cover a fairly broad spectrum of problems, from a modern JIT vulnerability to major cache problems related to police bugs," said Google Project Zero security researcher Maddie Stone, "Overall, each of these exploits has been the subject of a thorough understanding work." She added: "Of the last 7 flaws analyzed, CVE-2020-15999 has been particularly formidable, using a feat method never before observed by Google's research team using a variety of edcialization methods that have taken a long time to understand. ».
Among the vulnerabilities discovered were those that were later screened by the specialists of the American giant in 4 colors. These include:
– CVE-2020-17087 (Windows buffer overflow in cng.sys);
– CVE-2020-16009 (Chrome TurboFan type confusion);
– CVE-2020-16010 (Overshooting Chrome buffer for Android);
– CVE-2020-27930 (reading/writing in Safari's arbitrary stack via Type 1 fonts);
– CVE-2020-27950 (disclosure of iOS XNU Kernel core memory in mach messages);
– CVE-2020-27932 (iOS type confusion at the core level).
In their investigation, Google's computer security discovered that there were two servers that allowed hackers to activate their exploit through an attack called watering hole. The first one, which was active over a week, focused primarily on Windows and iOS systems.The second, operational attack, which lasted 36 hours, was exclusively aimed at Android systems.
"In total, we collected: 1 complete attack chain targeting Windows 10 fully corrected with Google Chrome, 2 fully corrected partial attack chains targeting 2 different Android 10 devices with Google Chrome and the Samsung browser, and RCE exploits for iOS 11-13 and a privilege-escalation feat for iOS 13," says Maddie Stone. "The iOS, Android and Windows devices were the only ones we tested while the servers were still active. The absence of other operating channels does not mean that these channels did not exist," she adds.
Now access an unlimited number of passwords: