Infineon TPM bug. It had no logo...?
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Java deserilization when originally presented in 2014 or so?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Oh! XSS/privilege escalation in Electron applications. Not sure anyone even noticed Luca’s talk.
-
I’ll vote for Java Deserialisation (as a class of issues) over RCE through XSS in Electron (though a neat vuln... interestingly it was discovered by a researcher where I work some months before Luca’s talk (under NDA))
-
It’s less who found it and more that it wasn’t recognized as a big deal until a month or so ago.
-
Agree. Same for Java Deser which was noted as a potential issue circa 2012 iirc and was then explored further and became wider known by the end of 2015. And now it’s the gift that keeps on giving.
-
And wrt the original tweet there was no parade, no logos, paper or website dedicated to it. Just a slow build up of research and interest.
-
Yep, definitely agree. It’s hard to remember since now everyone lights up at new deser vulnerabilities, but at the time not so much.
-
Probably the case can be made for SSRF here too, but that’s a bit broader and fuzzier.
End of conversation
New conversation -
-
-
Critical stack buffer overflow in Chrome’s QUIC ;)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
That is such a good question. The .NET CBC padding oracle, maybe?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
What about bugs that were silently patched during refactoring or while fixing a non-security bug? That happens surprisingly often and the bugs die without ever getting a CVE. And often people don't patch because they don't think it matters since no critical bugs.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.