[HN Gopher] FF Sandbox Escape ___________________________________________________________________ FF Sandbox Escape Author : weinzierl Score : 54 points Date : 2020-06-18 19:42 UTC (3 hours ago) (HTM) web link (googleprojectzero.blogspot.com) (TXT) w3m dump (googleprojectzero.blogspot.com) | ghostpepper wrote: | Off topic but does project zero ever publish vulnerabilities on | google products? More and more it seems like they mostly target | google's competitors (Firefox, iOS, etc) | comfydragon wrote: | Sure. | | https://googleprojectzero.blogspot.com/2019/11/bad-binder-an... | | https://googleprojectzero.blogspot.com/2020/02/mitigations-a... | | https://googleprojectzero.blogspot.com/2016/12/chrome-os-exp... | simcop2387 wrote: | As siblings mentioned they do, I think part of the impression | is a bit of a selection bias. Because Google puts itself into | so many domains they have many many possible competitors. PZ | tries to look at everything so they're bound to also look at | google's competitors and find things. So even if they report on | both themselves and on competitors, the numbers immediately | look like they're reporting more on competitors because the | number of companies involved is larger. | albntomat0 wrote: | Here's the post I put together when this same question was | asked 6 days ago. All counts are rough numbers. | | Project zero posts: | | Google: 24 | | Apple: 28 | | Microsoft: 36 | | I was curious, so I poked around the project zero bug tracker | to try to find ground truth about their bug reporting: | https://bugs.chromium.org/p/project-zero/issues/list For all | issues, including closed: | | product=Android returns 81 results | | product=iOS returns 58 | | vendor=Apple returns 380 | | vendor=Google returns 145 (bugs in Samsung's Android | kernel,etc. are tracked separately) | | vendor=Linux return 54 | | To be fair, a huge number of things make this not an even | comparison, including the underlying bug rate, different | products and downstream Android vendors being tracked | separately. Also, # bugs found != which ones they choose to | write about. | jbroman wrote: | The very first sentence points to a PZ blog post about the | Chrome sandbox. | jgon wrote: | The very first sentence points to a PZ blog post about a | Windows vulnerability that affects the Chrome sandbox, not an | issue with their own code. | staticassertion wrote: | I suspect from the Chrome security team's perspective there | is very little difference, which is why they take | significant measures to reduce the Windows kernel attack | surface. | _jal wrote: | Is the claim that PZ is some sort of PR attack on other | companies? | | Because as someone who is highly skeptical of Google's | motives a lot of the time, that just seems like a batty | take for anyone who is familiar with their work. | lawnchair_larry wrote: | That's been the claim for as long as they existed, and | one that Microsoft employees like to respond with in the | media (and behind closed doors). It's not true though. I | have talked to some of the early PZ folks and they are | unwavering in their devotion to sincerely held beliefs | that they are making the internet safer. They feel | strongly that their hard disclosure deadline is a | critical component of this and they stick to those | principles, even when it is unfavorable to Google. | | The _only_ reason that deadline exists is because many | vendors have had a long history of taking advantage of | researchers who agree to embargo details of their work | while the vendors work on a fix. Bugs were going unfixed | for years. | | It has been my observation that this strategy only | partially worked. The main thing that happened is that | vendors now won't sit on Google reported vulns, because | they know Google are not bluffing, but they're still | generally happy to take their sweet time if the report | comes from someone else. I know of some companies who put | PZ bugs in a special queue to fast track them. | | I think it has done a little bit in terms of setting | norms for shorter disclosure timelines though. | Sniffnoy wrote: | Non-mobile link: | https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-es... ___________________________________________________________________ (page generated 2020-06-18 23:00 UTC)