Google exposes malicious exploits targeting Windows and Android users

Google's Project Zero is an initiative aimed at uncovering zero-day vulnerabilities and other bugs that could be exploited to infect systems and devices with malware. Now the group has revealed a string of vulnerabilities that might have affected a large number of users had they not been patched.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

In a series of blog posts published Tuesday, Google revealed that it discovered two malicious servers set to deliver different exploit campaigns through watering hole attacks. In such an attack, cybercriminals determine which websites are visited by different organizations or groups and then compromise those sites with malware hoping to infect the visitors.

One server caught by Google targeted Windows users, while the other server was aimed at Android users. Both servers used Google Chrome vulnerabilities to try to remotely execute code on affected devices. The exploits for Chrome and Windows included zero-day vulnerabilities, while the one for Android took advantage of n-day vulnerabilities.

A zero-day vulnerability is one that is newly discovered but is unknown to the vendor, and therefore no patch is yet available. An n-day vulnerability is one that is publicly known and possibly patched by the vendor but still exploitable.

N-day vulnerabilities can be more problematic as they quickly become common knowledge among hackers and cybercriminals. In some cases, the patch issued by the vendor also needs to be applied on the client side in order to mitigate the threat on a widespread basis.

Analyzing the hacker's behavior, Google said it believes they had access to zero-day vulnerabilities in Android even though the Project Zero team didn't find any. But the experts were able to extract the following details from the exploit servers:

In some instances, the hackers used an exploit to capture the fingerprints of users inside the sandbox. In these cases, the attackers gathered a lot of data from the user's own device before deciding whether or not to pursue the exploit. In other cases, the attackers opted to fully exploit a system without wasting any time.

In five follow-up blog posts, Google displays and describes the code used in these exploit attacks.

All the discovered zero-day exploits were patched last year by the appropriate vendors as detailed by the following CVEs (Common Vulnerabilities and Exposures).

"These exploit chains are designed for efficiency and flexibility through their modularity," Google said in its blog post. "They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains."

Also see