mankind’s natural inertia in general hates changes… and updates are changes…
but updates are critical for security.
“ALL OS are unsafe – Flash and the most broswers anyway. This year’s Pwn2Own contest showed once more – zero-day-exploits are everywhere and are just waiting to be used.” (src heise)
Mozilla reacted pretty fast – fixing/patching the problem in 22h.
2014: Firefox completely 0wned by polish security researcher
2017: hacking in china
“Team from @ChaitinTech does it again using 6 (!) bugs to go through Apple #Safari to gain root access on macOS – earning $35K. #Pwn2Own” (src tweet)
“Chaitin Security Research Lab (@ChaitinTech) welcomes Ubuntu to #Pwn2Own with a Linux kernel heap OOB access: earns them $15K.” (src tweet)
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
Mozilla Foundation Security Advisory 2017-08
integer overflow in createImageBitmap()
- Announced
- March 17, 2017
- Impact
- critical
- Products
- Firefox, Firefox ESR
- Fixed in
-
- Firefox 52.0.1
- Firefox ESR 52.0.1
#CVE-2017-5428: integer overflow in createImageBitmap()
- Reporter
- Chaitin Security Research Lab via Trend Micro’s Zero Day Initiative
- Impact
- critical
Description
An integer overflow in createImageBitmap()
was reported through the Pwn2Own contest.
The fix for this vulnerability disables the experimental extensions to the createImageBitmap
API.
This function runs in the content sandbox, requiring a second vulnerability to compromise a user’s computer.
References
Videos:
Links:
https://www.tencent.com/zh-cn/index.html
http://www.zerodayinitiative.com/
The Zero Day Initiative (ZDI), founded by TippingPoint (TrendMicro, founded 1989 by Japanese in USA), is a program for rewarding security researchers for responsibly disclosing vulnerabilities. Depending on who you are, here are a few links to get you started:
- Researchers: Learn how we pay for your vulnerability discoveries, register for the ZDI or login.
- Vendors: Read our disclosure policy or join our security partner program
- Press, Curiosity Seeker: Learn more about ZDI or read answers to some frequently asked questions
Please contact us at zdi [at] trendmicro [dot] com with any questions or queries. For sensitive e-mail communications, please use our PGP key.
http://blog.trendmicro.com/welcome-pwn2own-2017-schedule/
https://www.heise.de/thema/Pwn2own (German only)
http://blog.trendmicro.com/category/zero-day-initiative/
-
Mozilla Firefox is the First Pwn2own 2017 Victim to be Patched …
www.esecurityplanet.com/browser-security/moz… Anonym öffnen Markieren
20 Mar 2017 … Last week, the 10th annual Pwn2own hacking challenge was hosted … in createImageBitmap() was reported through the Pwn2Own contest,” …
-
Mozilla reagiert zügig auf Firefox-Exploit des Hacker-Wettbewerbs …
https://www.heise.de/security/meldung/Mozill… Anonym öffnen Markieren
19. März 2017 … … betroffen – die verwundbare createImageBitmap -API kommt bei der ESR- Ausgabe nicht … Die Pwn2Own-Veranstaltung findet jährlich statt.
Tweets:
@ChaitinTech does it again using 6 (!) bugs to go through Apple
#Safari to gain root access on macOS – earning $35K.#Pwn2Own
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!