• “Expert” hackers used 11 Zerodays to infect Windows, iOS, and Android users
  • Written by Dan Goodin
  • The Nuggets translation Project
  • Permanent link to this article: github.com/xitu/gold-m…
  • Translator: Hoarfroster
  • Proofreader: Kimhooo, PingHGao

The hackers used 11 zero-day exploits to infect Windows, iOS and Android users

What sets this gang apart is the ingenious exploitation of unknown vulnerabilities.

Google researchers said a team of advanced hackers took advantage of no fewer than 11 zero-day exploits over a nine-month period, using infected websites to infect fully patched Windows, iOS and Android devices.

Using advanced development and camouflage techniques, various vulnerability types, and a sophisticated delivery framework, the gang discovered four zero-day vulnerabilities in February 2020. Members of Google’s Project Zero and threat analysis team marveled at the “sophistication” of the group’s ability to string together multiple vulnerabilities that had been compromised on fully patched Windows and Android devices.

The attack is not over

On Thursday, Maddie Stone, a researcher at Project Zero, said that in the eight months after the February attack, the same group exploited seven other previously unknown vulnerabilities that still exist in iOS. As was the case in February, a watering-hole attack was used to exploit the bug. The attacks compromised websites frequently visited by targeted users and added code to those sites to install malicious software on visitors’ devices.

In all attacks, the puddle site redirects visitors to a large architecture. This architecture installs different exploits on the user’s device, depending on the device and browser the visitor is using. Although the two servers used in February only hit Windows and Android devices, later attacks also targeted devices running iOS. Here’s how it works:

The ability to breach fully patched operating systems and the advanced defenses built into apps (Chrome for Windows 10 and Safari for iOS, for example) is a testament to the team’s skill, as well as the number of zero-day exploits the gang has. After Google patched a code-execution flaw that attackers exploited in Chrome renderers in February, hackers quickly added new code to their exploits to address the flaw in Chrome V8.

In a blog post on Thursday, Stone wrote:

These vulnerabilities cover a wide range of areas, from JIT flaws to massive font error caches. In general, each exploit itself demonstrates a professional understanding of both exploit development and the area in which known vulnerabilities are exploited. Chrome Freetype’s zero-day virus exploits are new to Project Zero. Figuring out how to trigger an iOS kernel privilege vulnerability is not an easy process, because there are so many ways to disguise it and it’s hard to detect in a short time.

In summary, the Google researchers gathered the following information:

  • A complete vulnerability attack chain that attacks all patched Windows 10 devices running Google Chrome
  • Two were linked to some patched Android 10 devices running Google Chrome and Samsung’s browser
  • RCE exploit for iOS 11-13 and permission upgrade exploit for iOS 13

The seven zero-day viruses are:

  • Cve-2020-15999 — Chrome Freetype heap buffer overflow
  • Cve-2020-17087 — Windows heap buffer overflow in CNg.sys
  • Cve-2020-16009 — Chrome type confusion in TurboFan map deprecation
  • Cve-2020-16010 — Chrome heap buffer overflow for Android
  • Cve-2020-27930 — Arbitrary stack reads/writes in Safari with Type 1 font
  • Cve-2020-27950 — iOS XNU kernel memory leak in the tail of Mach message
  • Cve-2020-27932 — iOS kernel type obfuscation with Turnstiles

Break through the defense

Complex chains of exploits are required to break through the defenses built into modern operating systems and applications. Often, we also need a series of attacks to exploit code on the target device, take it out of the browser security sandbox and elevate privileges so that code can access sensitive parts of the operating system.

Thursday’s post didn’t provide details about the group responsible for the attack. In particular, we want to know if these hackers are part of a group that researchers already know about, or if it’s a group that hasn’t been seen before. Information about who is being attacked is also useful.

It’s still important to make sure your applications and operating systems are up to date, and to avoid visiting suspicious websites. Unfortunately, these measures are of little help to the victims of attacks by this unknown gang.

If you find any mistakes in your translation or other areas that need to be improved, you are welcome to the Nuggets Translation Program to revise and PR your translation, and you can also get the corresponding reward points. The permanent link to this article at the beginning of this article is the MarkDown link to this article on GitHub.


The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, front-end, back-end, blockchain, products, design, artificial intelligence and other fields. If you want to see more high-quality translation, please continue to pay attention to the Translation plan of Digging Gold, the official Weibo, Zhihu column.