Daniel Micay on Twitter: "Android uses it to implement standard features like the Android Canvas. Web browsers are among the few apps exposing a feature like that directly to untrusted input but there are probably other examples, and they wouldn't have an equivalent to the great Chromium renderer sandbox." / Twitter

twitter.com/EtTuCarl/statu It's 3 vulnerabilities in Skia, which is a 2D rendering library used by Android, Firefox and Chromium. It's widely used and the context where an attacker could gain code exec varies. For Chromium on Android it's in the Chrome or WebView renderer sandbox.

Quote Tweet

Carl (fan parody)

@EtTuCarl

Feb 14, 2019

@DanielMicay Do you know exactly what part of Android does this (specific to built-in photo app, webview, or something else)? twitter.com/cybersecboardr…

2

3

6

Daniel Micay

@DanielMicay

Feb 14, 2019

There are other Android apps using it along applications on other platforms. There's a detailed post about the issues on the Project Zero blog: googleprojectzero.blogspot.com/2019/02/the-cu Can tell it has diverse apps using it from StackOverflow questions like stackoverflow.com/questions/4229 (C# on iOS).

stackoverflow.com

How to add rect using Skia Sharp and apply both fill color and stroke color to that object?

How to add rect or any shape using Skia Sharp and apply both fill color and stroke color to that object in iOS

2

Daniel Micay

@DanielMicay

Android uses it to implement standard features like the Android Canvas. Web browsers are among the few apps exposing a feature like that directly to untrusted input but there are probably other examples, and they wouldn't have an equivalent to the great Chromium renderer sandbox.

8:04 PM · Feb 14, 2019Twitter Web Client

1

Retweet

Conversation