Google’s Project Zero on Tuesday introduced a six-part series that offers an analysis of four zero-day vulnerabilities on Windows and Chrome, and known-day Android exploits it found during the team’s extensive research last year.

In a blog post the team said it uncovered the vulnerabilities after they found a watering hole attack in Q1 2020 performed by a highly sophisticated threat actor. The researchers said they discovered two servers that delivered different exploit chains. One server targeted Windows users, the other targeted Android. From the exploit servers, the Project Zero team extracted the following:

  • Renderer exploits for four bugs in Chrome, one of which was still a zero- day at the time of the discovery.
  • Two sandbox escape exploits abusing three zero day vulnerabilities in Windows.
  • A “privilege escalation kit” composed of publicly-known N-day (known-day) exploits for older versions of Android. Based on the actor's sophistication, the researchers think it's likely that they had access to Android zero-days, but they didn't discover any in their analysis.