> As I’m a Chromium committer as well as an owner of the Windows sandbox I realized I might be better placed to fix this than Mozilla who relied on our code.
Chromium contains a really solid implementation of OS process sandboxing, which is rather secondary to the bits of building a web browser that we need competition on. It could very reasonably be spun out into its own project, but that takes time and effort so it stays part of Chromium.
It’s an proof of concept exploit for a vulnerability in the sandbox used by FF which is a security boundary to reduce the impact of RCE. The reason for the injection is I don’t just have a working RCE lying around (we get them fixed) and using one would add additional complications and obfuscate the bug when reporting. The purpose of a proof of concept is to demonstrate impact so that it can be fixed.
All the big browser attacks require exploit chains, and this is a component for creating an exploit chain. The best exploit chains can go all the way from a web page's JS to complete root access (this was achieved on Chromebooks at one point in the last couple years, using webassembly as one of the hops in the chain)
Off topic but does project zero ever publish vulnerabilities on google products? More and more it seems like they mostly target google's competitors (Firefox, iOS, etc)
vendor=Google returns 145 (bugs in Samsung's Android kernel,etc. are tracked separately)
vendor=Linux return 54
To be fair, a huge number of things make this not an even comparison, including the underlying bug rate, different products and downstream Android vendors being tracked separately. Also, # bugs found != which ones they choose to write about.
As siblings mentioned they do, I think part of the impression is a bit of a selection bias. Because Google puts itself into so many domains they have many many possible competitors. PZ tries to look at everything so they're bound to also look at google's competitors and find things. So even if they report on both themselves and on competitors, the numbers immediately look like they're reporting more on competitors because the number of companies involved is larger.
Is the claim that PZ is some sort of PR attack on other companies?
Because as someone who is highly skeptical of Google's motives a lot of the time, that just seems like a batty take for anyone who is familiar with their work.
That’s been the claim for as long as they existed, and one that Microsoft employees like to respond with in the media (and behind closed doors). It’s not true though. I have talked to some of the early PZ folks and they are unwavering in their devotion to sincerely held beliefs that they are making the internet safer. They feel strongly that their hard disclosure deadline is a critical component of this and they stick to those principles, even when it is unfavorable to Google.
The only reason that deadline exists is because many vendors have had a long history of taking advantage of researchers who agree to embargo details of their work while the vendors work on a fix. Bugs were going unfixed for years.
It has been my observation that this strategy only partially worked. The main thing that happened is that vendors now won’t sit on Google reported vulns, because they know Google are not bluffing, but they’re still generally happy to take their sweet time if the report comes from someone else. I know of some companies who put PZ bugs in a special queue to fast track them.
I think it has done a little bit in terms of setting norms for shorter disclosure timelines though.
I suspect from the Chrome security team's perspective there is very little difference, which is why they take significant measures to reduce the Windows kernel attack surface.
