Thanks to @coinbase I've had a chance to look at the in-the-wild exploit for the recent Firefox 0day (the RCE) that they caught. Tl;dr: it looks a lot like a bug collision between Fuzzilli and someone manually auditing for bugs. My notes:
-
-
Also, I'm not sure to understand how the Array.prototype.pop bug is related to alias analysis (like in the MArraySlice bug)?
-
yeah I attempted a short explanation at https://bugs.chromium.org/p/project-zero/issues/detail?id=1820#c5 … basically pop and push aren't marked as having side effects (as was slice), see their getAliasSet implementation. But due to unexpected access to the prototype you could get side-effects through getters/setters on it
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.