Google Migrating Android to Memory-Safe Programming Languages
Between 2019 and 2022, the annual number of reported memory safety issues in Android has dropped from 223 to 85, due to an increase in the amount of memory-safe code entering the mobile platform, and the trend is expected to continue. Memory safety bugs, Google notes, are typically the most severe type of vulnerabilities. In…
Google Ready to Roll Out Android Privacy Sandbox in Beta
The initiative was initially announced in February, with the developer preview version of the feature being released in May. The Privacy Sandbox on Android is meant to limit the sharing of user data and prevent cross-app identifiers such as advertising IDs, while supporting developers and businesses that are targeting mobile devices. In May, the internet…
Google Pays $70k for Android Lock Screen Bypass
Tracked as CVE-2022-20465, the security bug was resolved as part of the November 2022 Android patches, and could have allowed an attacker with physical access to a device to unlock it in minutes. The issue, which Schutz accidentally discovered, could allow an attacker to unlock an Android phone by triggering the SIM PIN reset mechanism,…
Chrome 106 Update Patches Several High-Severity Vulnerabilities
All the newly resolved vulnerabilities were discovered by external researchers and the internet giant has handed out $38,000 in bug bounty rewards to the reporters. Based on the bug bounty amounts that Google has paid out, the most severe of the newly addressed flaws is CVE-2022-3445, a use-after-free vulnerability in Skia, the open-source 2D graphics…
Google Improves Chrome Protections Against Use-After-Free Bug Exploitation
A type of memory corruption bugs, use-after-free issues occur when a program does not clear the pointer after freeing memory allocation. These flaws could lead to arbitrary code execution, data corruption, or denial of service. Use-after-free vulnerabilities may also be combined with other security flaws, leading to complete system compromise. The exploitation of use-after-free issues…
Chrome 105 Patches Critical, High-Severity Vulnerabilities
Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities. A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher…
Google Boosts Bug Bounty Rewards for Linux Kernel Vulnerabilities
Called kCTF, the program was launched in 2020 to provide security researchers with the means to report vulnerabilities in the Google Kubernetes Engine (GKE), for which they receive a flag. “All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability….
Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company
Google was informed about the vulnerability and attacks exploiting it on July 1 by cybersecurity company Avast, which observed it being used against its customers in the Middle East as part of what appeared to be highly targeted operations. The vulnerability is tracked as CVE-2022-2294 and it has been described as a heap buffer overflow…
Google Blocks Domains of Hack-for-Hire Groups in Russia, India, UAE
The internet giant has added more than 30 domains used by these threat groups to its Safe Browsing mechanism, which prevents users from accessing them. Hack-for-hire groups are often conflated with entities offering surveillance tools. Google has pointed out that surveillance vendors typically provide the tools needed for spying but leave it up to the…
Google: Hack-for-Hire Groups Present a Potent Threat
The threat associated with nation-state-backed hacking groups has been well-researched and chronicled in recent times, but there’s another, equally dangerous set of adversaries that’s operated comparatively in the shadows for years. These are hack-for-hire groups that specialize in breaking into systems and stealing email and other data as a service. Their clients can be private…
