No security feature is perfect. @tiraniddo.dev reviewed Windowsโ new Administrator Protection and found several bypasses.
projectzero.google/2026/26/wind...
At the gpg.fail talk and omg #39c3
You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.
Wonโt even blame PGP here. C is unsafe at any speed.
gpg has not fixed it yet.
An analysis of a recent 0-click exploit targeting Samsung devices: googleprojectzero.blogspot.com/2025/12/a-lo...
We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: issuetracker.google.com/issues?q=com...
All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!
We derestricted crbug.com/382005099 today which might just be my favorite bug of the last few years: bad interaction between WebAudio changing the CPU's handling of floats and V8 not expecting that. See crbug.com/382005099#co... for a PoC exploit. Also affected other browsers
NEW: The U.S. govt accused Peter Williams, ex general manager of hacking tool maker L3Harris Trenchant, of stealing trade secrets and selling them to buyer in Russia.
As we reported earlier, Trenchant investigated a leak of internal tools this year. It's unclear if that investigation is related.
SCOOP: A man who worked on developing hacking and surveillance tools for defense contractor L3Harris Trenchant was notified by Apple that his iPhone was targeted with mercenary spyware.
The developer believes he was targeted after he was wrongly accused of leaking zero-days developed by Trenchant.
Serious bugs often occur in third-party components integrated by other software. Ivan Fratric and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click.
project-zero.issues.chromium.org/issues/42807...
We now have a (draft) @metasploit-r7.bsky.social exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metas...
New: A security researcher found a bug that revealed the private recovery phone number of almost any Google account.
TechCrunch verified the bug w/ the researcher, who quickly brute-forced the phone number of a test Google account we had set up.
The final part of Mateuszโs Windows Registry series is live! Contains all the hive memory corruption exploitation youโve been waiting for
googleprojectzero.blogspot.com/2025/05/the-...
Great write-up, as usual, from Project 0 going into even more detail on the BlastPass iOS zero click exploit from 2023: googleprojectzero.blogspot.com/2025/03/blas...
"Windows App to replace Remote Desktop app for Windows"
There's a lot of confusion about what this means, so let me clarify:
This only affects the Remote Desktop App on the *Microsoft Store*, which you most likely don't use
Most system administrators use mstsc, the Windows built-in RDP client
We will never knowโ we will never have the faintest ideaโ how much money is getting made in insider trading windfalls from people in Trump's and Musk's circles who have an hour of notice about the daily swings in tariff policy or the occasional announced *expectations* of such swings.
Ghidra 11.3 is OUT!
โจPyGhidra is the new feature to be excited about.โจโจItโs a Python library providing direct access to the Ghidra API. โจโจ
I expect this to massively increase Reverse Engineering tool development, as it significantly reduces the barrier to entry for Ghidra interaction.
A 25-year-old DOGE worker named Marko Elez who has admin privileges on Treasury dept systems that control about 95% of payments made by the gov, including Social Security checks, tax refunds and contract payments "has already made extensive changes to the code base for these critical payment system"
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
To all our Bluesky friends, feel free to follow us here as we will be posting regular updates as the conference gets closer. See you in May!
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
project-zero.issues.chromium.org/issues/36869...
Around 2008 I was in Ottawa and some MoD person mentioned that only a few years ago they stopped wargaming against a US invasion, and I joked "just wait until they run out of water for their golf courses in Arizona"...
Someone is using a fake PoC for the LDAPNightmare exploit to infect researchers and threat actors with an infostealer
www.trendmicro.com/en_us/resear...
Surfer Gabriel Media leaping from his surfboard at the top of the wave so the he appears to be floating in the air above the water, completely upright, with one arm extended above his head, holding out one finger, his surfboard trailing behind and also floating in the air
Brazil's Gabriel Medina with the best touchdown celebration I've ever seen (Photo: Jerome Brouillet/Getty)
in the 90โs, computers would scream every time you went online. thatโs called foreshadowing
Video of the talk I gave at Recon on hunting for bugs in the Windows TCP/IP stack is now up!
youtu.be/jzA5aLrK4OY
