| Tweets |
|
Ben Hawkes
@benhawkes
|
Jan 30 |
|
Cool, hadn't seen laf-intel before. I suspect @taviso was the first to implement something like this. Sub-instruction profiling from "Making Fuzzing Dumber" in 2009.
|
||
|
|
||
| Ben Hawkes retweeted | ||
|
j00ru//vx
@j00ru
|
Jan 30 |
|
Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy! googleprojectzero.blogspot.com/2020/01/part-i…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
Rare praise! The Pwnies are the Oscars of infosec, but the Mark Dowd "pretty good at computers" award is clearly the Nobel Prize.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
Quick reminder that we're still updating the "0day detected in-the-wild" spreadsheet here: googleprojectzero.blogspot.com/p/0day.html. The first entry for 2020 is now in the books -- CVE-2019-17026 is a type confusion issue in the JIT engine for Firefox, detected in active attacks by Qihoo 360 ATA.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
Project Zero blog: "Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution" by Samuel Groß (@5aelo) -- googleprojectzero.blogspot.com/2020/01/remote…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
Project Zero blog: "Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass" by Samuel Groß (@5aelo) -- googleprojectzero.blogspot.com/2020/01/remote…
|
||
|
|
||
| Ben Hawkes retweeted | ||
|
Samuel Groß
@5aelo
|
Jan 9 |
|
I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage: googleprojectzero.blogspot.com/2020/01/remote…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 9 |
|
Project Zero blog: "Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641" by Samuel Groß (@5aelo) -- googleprojectzero.blogspot.com/2020/01/remote…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Also I suspect quite a few vendors will still want to align disclosure around security bulletins, and that's still an option.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Related to this, note that we're going to be paying much more attention to variants: "Details of incomplete fixes will be reported to the vendor and added to the existing report (which may already be public)"
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Yeah, in the short term that's possibly true. The long-term goal though is to reduce the total time for users to receive a high quality patch on their device, which should ultimately reduce the viability of patch diffing for 1-day. If it doesn't work, we'll rebalance the policy.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Since affected users might have needed to rotate secrets, timely notification was considered to be very important (and still would be under our new policy!). Some more details are here: bugs.chromium.org/p/project-zero…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
For those following along, note that Tavis disclosed the details several days after the initial fix in practice. The main discussion (and disagreement) was around how much time to allow for cleanup (removing the user data that was cached by search engines) vs user notification.
|
||
|
|
||
| Ben Hawkes retweeted | ||
|
Matt Miller
@epakskape
|
Jan 7 |
|
Kudos to the GPZ team for their willingness to explore new vulnerability disclosure policies in addition to doing great research :)
At the risk of wading into a disclosure debate (plz no), I think these policy changes will help improve customer safety twitter.com/itswillis/stat…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
I think you're right that attacker's are incentivized to study patches in more detail than defenders though, so we'll be looking very closely at the gap between patch and disclosure to make sure the policy is well balanced.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
For the vendors that want to disclose information closer to the patch date, we still have that option though. I suspect quite a few will still want to align disclosure around security bulletins.
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Great question, I'm definitely concerned about it and it was a big part of our discussions. Talking to a lot of vendors, they're generally aware of this type of analysis, but it wasn't always the biggest factor in terms of motivating them to improve patch speed/quality/adoption.
|
||
|
|
||
| Ben Hawkes retweeted | ||
|
Tim Willis
@itswillis
|
Jan 7 |
|
At Google Project Zero, the team spends a *lot* of time discussing and evaluating vulnerability disclosure policies and their consequences. It's a complex and controversial topic!
Here's P0's policy changes for 2020 (with our rationale for the changes):
googleprojectzero.blogspot.com/2020/01/policy…
|
||
|
|
||
|
Ben Hawkes
@benhawkes
|
Jan 7 |
|
Project Zero Policy and Disclosure: 2020 Edition -- googleprojectzero.blogspot.com/2020/01/policy…
|
||
|
|
||