Conversation

Replying to

There are other Android apps using it along applications on other platforms. There's a detailed post about the issues on the Project Zero blog: googleprojectzero.blogspot.com/2019/02/the-cu Can tell it has diverse apps using it from StackOverflow questions like stackoverflow.com/questions/4229 (C# on iOS).

stackoverflow.com

How to add rect using Skia Sharp and apply both fill color and stroke color to that object?

How to add rect or any shape using Skia Sharp and apply both fill color and stroke color to that object in iOS

2

2

Replying to

Skia sounds as awful as something I'd expect out of Google...

1

1

Replying to

They made it because Cairo has terrible performance and varying output across platforms. I'd expect that Cairo has bigger security problems too, but doesn't get nearly as much attention because it's not exposed in two of the major browsers as the 2D canvas implementation.

3

2

Replying to

Why is this kind of functionality even exposed at all except opt-in?! (Obvious answer: Google wants it for adtech fingerprinting.)

2

Replying to

and

If sites want to rasterize shit themselves in my browser, they can ship a rasterizer in portable js that runs in the sandbox like everything else.

1

Replying to

Font handling is also a large attack surface since font rendering is extremely complex and browsers expose it to untrusted input by supporting fonts provided by the site. CSS is super complex by itself and keeps getting more features that need to interact with all the others.

2

2

Replying to

and

And of course they support all kinds of different image, video and audio codecs. They also keep expanding the feature set with things like access to MIDI devices, Bluetooth and USB but at least those prompt the user to allow it. Have you seen issues like github.com/mozilla/standa?

2

1

Replying to

and

There's literally a browser API which supports updating firmware on devices which mostly have no signature verification for the updates. The manufacturers consider that an important feature, even including the fact that there's no signature verification.

1

1

2

Replying to

and

They don't want to deal with supporting updates and modding securely, so they expose firmware updates via an API exposed through web browsers and leave out verifying the updates. A user allowing access ends up letting a site implant it with persistent malware without any exploit.

1

Replying to

Firmware update should never be possible except via special physical interface solely for firmware update.

1

Replying to

These devices have a fair bit of attack surface and probably do need security updates though, and people wouldn't do it that way. It really needs signature verification and should check the origin of the update too along with requiring explicit consent to do it though.

8:38 PM · Feb 14, 2019Twitter Web Client

Replying to

and

It generally does none of that. There's just an extensible API exposed via the MIDI API and they stick firmware updates into that. Any site given access to the device at all can do a firmware update, and often there's no signature verification. These companies don't really care.

2

Replying to

Browser could parse the MIDI, only accepting standard commands, and rewrite it before sending to the device..?

1

Show replies