Thrilled to announce my new Project Zero blog post is LIVE! 🎉 I detail my knowledge-driven fuzzing process to find sandbox escape vulnerabilities in CoreAudio on MacOS. I'll talk about this and the exploitation process next week offensivecon! googleprojectzero.blogspot.com/2025/05/breaki…

The slides for my OffensiveCon talk "Finding and Exploiting 20-year-old bugs in Web Browsers" docs.google.com/presentation/d…

Stoked for Jaron Bradley's soon to be released 2nd-book: "Threat Hunting macOS" 😍📚 (And was honored to write its forward). Jaron is an outstanding researcher, speaker, trainer, & friend, and this book will become an essential macOS security resource. linkedin.com/feed/update/ur…

Our new blog post is live: blog.dfsec.com/ios/2025/05/30…

My "Finding Vulnerabilities in Apple Packages at Scale" talk is up on YT 🎉

Woah, Tielei talk “Sending Me Your IOUserClients: A Bypass to Immovable Ports” at deepsec.cc was insanely good! I enjoyed it! Super clever new discovery. feels awesome to see other researchers referencing my past work.

I lightly mentioned CVE-2025-31235, a double-free I found in coreaudiod/CoreAudio, during my OffensiveCon presentation last month. It's been derestricted now, so enjoy my writeup which includes a PoC and dtrace script to help understand the vulnerability! project-zero.issues.chromium.org/issues/4062711…

📢 Just dropped: the full #OBTS v8 talk lineup! objectivebythesea.org/v8/talks.html And for the first time we'll have 3 full days of presentations! 🤩 Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! 😫

So CVE-2025-43268 was indeed my vuln in cryptexctl, but Arsenii Kostromin found it first, kudos to him. Here's the "exploit", which makes sudo try and load an unsigned dylib from the current directory: /S*/L*/S*/u*/b*/c*.r* exec $PWD/ sudo ls

Launch constraints are annoying as a security researcher. What if you didn't have to worry about them? wts.dev/posts/bypassin…

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojectz… It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Brief info and POC for this week's Apple 0click iOS 18.6.1 RCE bug CVE-2025-43300 github.com/b1n4r1b01/n-da…

🍏 #AppleDevelopers use NSFileManager thinking it’s safe — but Mickey Jin found a race condition once thought “impossible to exploit.” At #NullconBerlin2025, he’ll show how it works, why CVE-2024-54566 failed, and Apple’s final fix. 👉 nullcon.net/berlin-2025/sp… #iOS #applesecurity

🚨 New blog post: ELEGANTBOUNCER - Catch iOS 0-click exploits without having the samples. Features iOS backup forensics & messaging app scanning for iMessage, WhatsApp, Signal, Telegram & Viber attachments. 🔗 Link -> msuiche.com/posts/elegantb…

A tiny timing flaw in Apple’s core file-copy APIs can put millions of devices at risk 📂🍏 Despite warnings, Apple thought it was “too hard to exploit”—until Mickey Jin developed an exploit that steals secrets in privileged services 👉nullcon.net/berlin-2025/sp… #NullconBerlin2025

Thank you Help Net Security to mention us 👍 awesome research by tsunekoh #macOS #applesecurity #NullconBerlin2025 helpnetsecurity.com/2025/09/04/mac…

For those missing the talk, Blog: jhftss.github.io/Exploiting-the… Slides: github.com/jhftss/jhftss.…

Excited to share our research on ChillyHell, a modular macOS backdoor targeting officials in Ukraine. Check out our write-up for more details. jamf.com/blog/chillyhel…