mankind’s natural inertia in general hates changes… and updates are changes…

but updates are critical for security.

“ALL OS are unsafe – Flash and the most broswers anyway. This year’s Pwn2Own contest showed once more – zero-day-exploits are everywhere and are just waiting to be used.” (src heise)

Mozilla reacted pretty fast – fixing/patching the problem in 22h.

2014: Firefox completely 0wned by polish security researcher

2017: hacking in china

“Team from does it again using 6 (!) bugs to go through Apple to gain root access on macOS – earning $35K. ” (src tweet)

“Chaitin Security Research Lab () welcomes Ubuntu to with a Linux kernel heap OOB access: earns them $15K.” (src tweet)

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Mozilla Foundation Security Advisory 2017-08

integer overflow in createImageBitmap()

Announced
March 17, 2017
Impact
critical
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 52.0.1
  • Firefox ESR 52.0.1

#CVE-2017-5428: integer overflow in createImageBitmap()

Reporter
Chaitin Security Research Lab via Trend Micro’s Zero Day Initiative
Impact
critical
Description

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest.

The fix for this vulnerability disables the experimental extensions to the createImageBitmap API.

This function runs in the content sandbox, requiring a second vulnerability to compromise a user’s computer.

References

Videos:

Links:

https://www.tencent.com/zh-cn/index.html

https://twitter.com/thezdi

http://www.zerodayinitiative.com/

The Zero Day Initiative (ZDI), founded by TippingPoint (TrendMicro, founded 1989 by Japanese in USA), is a program for rewarding security researchers for responsibly disclosing vulnerabilities. Depending on who you are, here are a few links to get you started:

Please contact us at zdi [at] trendmicro [dot] com with any questions or queries. For sensitive e-mail communications, please use our PGP key.

http://blog.trendmicro.com/welcome-pwn2own-2017-schedule/

https://www.heise.de/thema/Pwn2own (German only)

http://blog.trendmicro.com/category/zero-day-initiative/

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin