Project Zero's Redesign Is a Reminder: 2016 Windows Bugs Still Teach
Google Project Zero relaunched its blog and used the moment to republish vulnerability research from 2016 and 2017 — a signal that foundational exploitation techniques haven't gone stale.
Key Takeaways
- Google Project Zero relaunched its blog on 16 December 2025 and marked the occasion by republishing older, previously under-exposed research.
- The reissued posts include James Forshaw's 2016 piece on Windows race conditions in path lookups and Jann Horn's 2017 'Thinking Outside The Box'.
- Project Zero's framing — that these techniques 'are still relevant' — is a useful check for defenders who assume older exploitation classes are fully mitigated.
- For security teams, the real value isn't the redesign; it's using the opportunity to revisit foundational Windows exploitation research still applicable to modern assessments.
Google's Project Zero has relaunched its blog with a new design, and used the announcement — written by Natalie Silvanovich and published 16 December 2025 — to do something more interesting than a coat of paint: it republished vulnerability research that, in the team's words, never quite got the attention it deserved the first time around.
The post itself is light on technical content. It's an editorial note acknowledging that Project Zero's prior blog design lagged behind the quality of its research, and a statement of intent — the team says it will keep using the platform to document attacker capabilities and the defensive opportunities that follow from understanding them.
What was republished, and why it matters
Two pieces anchor the relaunch. The first is James Forshaw's 2016 write-up, Windows Exploitation Techniques: Race conditions with path lookups, which dissects how Windows resolves file paths and how timing windows in that resolution process can be abused. The second is Jann Horn's 2017 post, Thinking Outside The Box. Both predate a wave of Windows hardening work, but path-resolution races and the class of logic bugs they represent remain a live category in modern exploitation research — file system TOCTOU issues in particular keep resurfacing across operating systems, not just Windows.
Project Zero's own framing is worth taking at face value: they explicitly say they wish the techniques covered were no longer relevant, and that they are not. For a research team with Project Zero's disclosure track record, that's a deliberate statement, not filler copy.
Why this matters beyond nostalgia
It's tempting to read a blog relaunch as pure housekeeping. But for practitioners, republishing older research is a low-cost way to resurface techniques that newer engineers on a red team or an app-sec function may never have encountered, because they were published before the engineer's career started or buried in a blog that was hard to navigate. Race conditions in path handling, TOCTOU bugs, and the broader category of time-of-check/time-of-use issues are not solved problems — they show up in modern CVEs across privilege-escalation chains, container runtimes, and driver code, not just in decade-old Windows internals research.
The practical takeaway for security teams is less about the redesign and more about the prompt it gives: revisit foundational exploitation research periodically, not just the newest CVE writeups. Techniques that look dated in a blog post can still be very current in a live target.
FAQ
Frequently Asked Questions
What did Google Project Zero actually announce?
A redesign of its research blog, published 16 December 2025, alongside republished older posts the team felt hadn't gotten enough visibility the first time — including James Forshaw's 2016 research on Windows path-lookup race conditions.
Is the republished research about a new vulnerability?
No. These are previously published pieces — Forshaw's 2016 Windows exploitation techniques post and Jann Horn's 2017 'Thinking Outside The Box' — reissued on the new platform, not new disclosures.
Why do old exploitation techniques like path-lookup races still matter?
Time-of-check/time-of-use and path-resolution race conditions are a persistent bug class that continues to surface in privilege-escalation and local exploitation research well beyond the Windows-specific context they were first documented in.
Sources
- 1Welcome to the new Project Zero Blog — Google Project Zero