mankind’s natural inertia in general hates changes… and updates are changes…
but updates are critical for security.
Mozilla reacted pretty fast – fixing/patching the problem in 22h.
2014: Firefox completely 0wned by polish security researcher
2017: hacking in china
integer overflow in createImageBitmap()
- March 17, 2017
- Firefox, Firefox ESR
- Fixed in
- Firefox 52.0.1
- Firefox ESR 52.0.1
- Chaitin Security Research Lab via Trend Micro’s Zero Day Initiative
An integer overflow in
was reported through the Pwn2Own contest.
The fix for this vulnerability disables the experimental extensions to the
This function runs in the content sandbox, requiring a second vulnerability to compromise a user’s computer.
The Zero Day Initiative (ZDI), founded by TippingPoint (TrendMicro, founded 1989 by Japanese in USA), is a program for rewarding security researchers for responsibly disclosing vulnerabilities. Depending on who you are, here are a few links to get you started:
Please contact us at zdi [at] trendmicro [dot] com with any questions or queries. For sensitive e-mail communications, please use our PGP key.
20 Mar 2017 … Last week, the 10th annual Pwn2own hacking challenge was hosted … in createImageBitmap() was reported through the Pwn2Own contest,” …
19. März 2017 … … betroffen – die verwundbare createImageBitmap -API kommt bei der ESR- Ausgabe nicht … Die Pwn2Own-Veranstaltung findet jährlich statt.
@ChaitinTech does it again using 6 (!) bugs to go through Appleto gain root access on macOS – earning $35K.