• One of the first Project Zero reports that attracted attention involved a flaw that allowed hackers to take control of software running the
Safari browser. For its efforts, the team, specifically Beer, was cited in Apple's brief note of thanks. • On 30 September 2014, Google detected a security flaw within
Windows 8.1's system call "NtApphelpCacheControl", which allows a normal user to gain administrative access.
Microsoft was notified of the problem immediately but did not fix the problem within 90 days, which meant information about the bug was made publicly available on 29 December 2014. • On 9 March 2015, Google Project Zero's blog posted a guest post that disclosed how a previously known hardware flaw in commonly deployed DRAM called
Row Hammer could be exploited to escalate privileges for local users. This post spawned a large quantity of follow-up research both in the academic and hardware community. • On 19 February 2017, Google discovered a flaw within
Cloudflare's reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines. A member of the Project Zero team referred to this flaw as
Cloudbleed. On 31 March 2017, LastPass announced they had fixed the problem. • Project Zero was involved in discovering the
Meltdown and
Spectre vulnerabilities affecting many modern
CPUs, which were discovered in mid-2017 and disclosed in early January 2018. The issue was discovered by Jann Horn independently from the other researchers who reported the security flaw and was scheduled to be published on 9 January 2018 before moving the date up because of growing speculation. • On 1 February 2019, Project Zero reported to
Apple that they had detected a set of five separate and complete iPhone exploit chains affecting
iOS 10 through all versions of
iOS 12 not targeting specific users but having the ability to infect any user who visited an infected site. A series of hacked sites were being used in indiscriminate
watering hole attacks against their visitors which Project Zero estimated receive thousands of visitors per week. Project Zero felt the attacks indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years. Apple fixed the exploits in the release of iOS 12.1.4 on 7 February 2019, and said the fixes were already underway when reported by Project Zero. • On 18 April 2019, Project Zero discovered a bug in
Apple iMessage wherein a certain malformed message could cause
Springboard to "...crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input." This would completely crash the
iPhone's UI making it inoperable. This bug would persist even after a
hard reset. The flaw also affected iMessage on
Mac with different results. Apple fixed the bug within the 90 day period before Project Zero released it. • In December 2021, the team published a technical breakdown of the
FORCEDENTRY exploit based on its collaboration with Apple’s
Security Engineering and Architecture (SEAR) group. ==See also==