Eight new use-after-free bugs introduced into Safari in the last 12 months. Chrome and Edge use garbage collection in C++ to eliminate a large proportion of these security issues, but Safari is still adding them.https://twitter.com/ProjectZeroBugs/status/1047889297049714688 …
-
-
Replying to @erikcorry
Also Firefox for a long time, via the cycle collector.
1 reply 1 retweet 0 likes -
Replying to @pcwalton
Does that prevent use-after-frees? If the ref count accidentally goes to zero, the object gets freed immediately, right?
1 reply 0 retweets 0 likes -
Replying to @erikcorry
Yeah, you’re right, it doesn’t eliminate that kind of UAF :(
1 reply 1 retweet 0 likes -
Replying to @pcwalton
For some reason this fuzzer doesn't find a lot of UaF bugs in Firefox though. Of the 4 found originally only one was a UaF. https://googleprojectzero.blogspot.com/2017/09/the-great-dom-fuzz-off-of-2017.html …
1 reply 1 retweet 0 likes
Replying to @erikcorry
I’m told there are a lot of static analyses to prevent UAF called by reentrant JS.
3:00 PM - 29 Oct 2018
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.