hngopher.com

       [HN Gopher] FF Sandbox Escape
       ___________________________________________________________________
        
       FF Sandbox Escape
        
       Author : weinzierl
       Score  : 54 points
       Date   : 2020-06-18 19:42 UTC (3 hours ago)
        
 (HTM) web link (googleprojectzero.blogspot.com)
 (TXT) w3m dump (googleprojectzero.blogspot.com)
        
       | ghostpepper wrote:
       | Off topic but does project zero ever publish vulnerabilities on
       | google products? More and more it seems like they mostly target
       | google's competitors (Firefox, iOS, etc)
        
         | comfydragon wrote:
         | Sure.
         | 
         | https://googleprojectzero.blogspot.com/2019/11/bad-binder-an...
         | 
         | https://googleprojectzero.blogspot.com/2020/02/mitigations-a...
         | 
         | https://googleprojectzero.blogspot.com/2016/12/chrome-os-exp...
        
         | simcop2387 wrote:
         | As siblings mentioned they do, I think part of the impression
         | is a bit of a selection bias. Because Google puts itself into
         | so many domains they have many many possible competitors. PZ
         | tries to look at everything so they're bound to also look at
         | google's competitors and find things. So even if they report on
         | both themselves and on competitors, the numbers immediately
         | look like they're reporting more on competitors because the
         | number of companies involved is larger.
        
         | albntomat0 wrote:
         | Here's the post I put together when this same question was
         | asked 6 days ago. All counts are rough numbers.
         | 
         | Project zero posts:
         | 
         | Google: 24
         | 
         | Apple: 28
         | 
         | Microsoft: 36
         | 
         | I was curious, so I poked around the project zero bug tracker
         | to try to find ground truth about their bug reporting:
         | https://bugs.chromium.org/p/project-zero/issues/list For all
         | issues, including closed:
         | 
         | product=Android returns 81 results
         | 
         | product=iOS returns 58
         | 
         | vendor=Apple returns 380
         | 
         | vendor=Google returns 145 (bugs in Samsung's Android
         | kernel,etc. are tracked separately)
         | 
         | vendor=Linux return 54
         | 
         | To be fair, a huge number of things make this not an even
         | comparison, including the underlying bug rate, different
         | products and downstream Android vendors being tracked
         | separately. Also, # bugs found != which ones they choose to
         | write about.
        
         | jbroman wrote:
         | The very first sentence points to a PZ blog post about the
         | Chrome sandbox.
        
           | jgon wrote:
           | The very first sentence points to a PZ blog post about a
           | Windows vulnerability that affects the Chrome sandbox, not an
           | issue with their own code.
        
             | staticassertion wrote:
             | I suspect from the Chrome security team's perspective there
             | is very little difference, which is why they take
             | significant measures to reduce the Windows kernel attack
             | surface.
        
             | _jal wrote:
             | Is the claim that PZ is some sort of PR attack on other
             | companies?
             | 
             | Because as someone who is highly skeptical of Google's
             | motives a lot of the time, that just seems like a batty
             | take for anyone who is familiar with their work.
        
               | lawnchair_larry wrote:
               | That's been the claim for as long as they existed, and
               | one that Microsoft employees like to respond with in the
               | media (and behind closed doors). It's not true though. I
               | have talked to some of the early PZ folks and they are
               | unwavering in their devotion to sincerely held beliefs
               | that they are making the internet safer. They feel
               | strongly that their hard disclosure deadline is a
               | critical component of this and they stick to those
               | principles, even when it is unfavorable to Google.
               | 
               | The _only_ reason that deadline exists is because many
               | vendors have had a long history of taking advantage of
               | researchers who agree to embargo details of their work
               | while the vendors work on a fix. Bugs were going unfixed
               | for years.
               | 
               | It has been my observation that this strategy only
               | partially worked. The main thing that happened is that
               | vendors now won't sit on Google reported vulns, because
               | they know Google are not bluffing, but they're still
               | generally happy to take their sweet time if the report
               | comes from someone else. I know of some companies who put
               | PZ bugs in a special queue to fast track them.
               | 
               | I think it has done a little bit in terms of setting
               | norms for shorter disclosure timelines though.
        
       | Sniffnoy wrote:
       | Non-mobile link:
       | https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-es...
        
       ___________________________________________________________________
       (page generated 2020-06-18 23:00 UTC)