One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 4593789 |
| Date de publication | 2022-03-23 13:03:26 (vue: 2022-05-13 21:47:30) |
| Titre | What\'s up with in-the-wild exploits? Plus, what we\'re doing about it. |
| Texte | Posted by Adrian Taylor, Chrome Security TeamIf you are a regular reader of our Chrome release blog, you may have noticed that phrases like 'exploit for CVE-1234-567 exists in the wild' have been appearing more often recently. In this post we'll explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. We'll then share how Chrome is continuing to make it harder for attackers to achieve their goals. How things work today While the increase may initially seem concerning, it's important to understand the reason behind this trend. If it's because there are many more exploits in the wild, it could point to a worrying trend. On the other hand, if we're simply gaining more visibility into exploitation by attackers, it's actually a good thing! It's good because it means we can respond by providing bug fixes to our users faster, and we can learn more about how real attackers operate. So, which is it? It's likely a little of both. Our colleagues at Project Zero publicly track all known in-the-wild “zero day” bugs. Here's what they've reported for browsers:  First, we don't believe there was no exploitation of Chromium based browsers between 2015 and 2018. We recognize that we don't have full view into active exploitation, and just because we didn't detect any zero-days during those years, doesn't mean exploitation didn't happen. Available exploitation data suffers from sampling bias. Teams like Google's Threat Analysis Group are also becoming increasingly sophisticated in their efforts to protect users by discovering zero-days and in-the-wild attacks. A good example is a bug in our Portals feature that we fixed last fall. This bug was discovered by a team member in Switzerland and reported to Chrome through our bug tracker. While Chrome normally keeps each web page locked away in a box called the “renderer sandbox,” this bug allowed the code to break out, potentially allowing attackers to steal information. Working across multiple time zones and teams, it took the team three days to come up with a fix and roll it out, as detailed in our video on the process: Why so many exploits? There are a number of factors at play, from changes in vendor and attacker behavior, to changes in the software itself. Here are four in particular that we've been discussing and exploring as a team. First, we believe we're seeing more bugs thanks to vendor transparency. Historically, many browser makers didn't announce that a bug was being exploited in the wild, even if they knew it was happening. Today, most major browser makers have increased transparency via publishing details in release communications, and that may account for more publicly tracked “in the wild” exploitation. These efforts have been spearheaded by bo |
| Envoyé | Oui |
| Condensat | *scan 1234 2015 2016 2018 2020 567 able about absolute access accomplished account achieve across activate active actually add added adrian advise afraid after aim all all: allowed allowing almost already also amount analysis android announce any anything appearing apply applying architects are area assume attack attacker attackers attacks attacks: attractive auto available average away bad bar barthe based because becoming been before behavior behind being believe belonging better between bias billions blog both box break browser browsers browsers: bug bugs bugs: but bypass called can cet cfg chain chains challenges changes choosing chrome chromium clarify class classes clicks code colleagues come comes coming communications compilation complete complexity compromise concern concerning content continually continue continuing controls could credentials critical cve cycle data date day days day” decisions dedicated defense deprecation: detailed details detect device devices did didn difficult directly discovered discovering discussing disproportionately doesn doing don due during each early edge efforts end engine engineering enterprise especially even everyone evolved exactly example examples except exists expect expensive exploit exploitability exploitable exploitation exploited exploits explore exploring fact factors fall familiarize faster feature filesystem finally find first fix fixed fixes fixing flash focus focusing four fourth fraction free” from full further gaining gap” generally get goals good google gpus gradually greater greatly group groups had hand happen happening hard hard: harder has have having heap helpabove helping here high historically hits how impact important increase increased increasingly inevitable information initially instance instead investments irrespective isn isolation itself january javascript jit jump just keep keeping keeps knew known languages largely largest last layers learn least less level like likely limited little lived locked long longer made major make makers making malicious many may mean means measure member memory might milestones miracleptr mirror misconceptions mitigations months more most much multiple multiyear need needed needs never new normally not noticed now number offs often one ongoing: only open operate operating organization other out over page pages part particular parts past people percentage performance performance: peripherals phrases play please plus point policies popular popularity: portals possible post posted posts potentially prevent previously primary privileged process process: professional program project projects protect proud providing publicly publishing quickly raising reader real really reason reasons recently recognize record reduce reduced regular release releases reminding removing renderer rendering report reported repositories require required requiring research researcher respond responds result rewards risk roll safe safer safety” same sampling sandbox second secrets secure security see seeing seem seems sensitive series serious share shown significant similar simply since single site slightly slower slowing software solutions some sometimes sophisticated source spearheaded specifics stage steal steps story strengthen strive strongly subsequent success such suffers sufficient suspect switch switched switzerland system systematic systems target target: taylor team teamif teams technologies term than thanks then there these they thing things third those threat three through time today together took track tracked tracker trade transparency trend two ultimately under understand update updates use user users using vendor video view visibility visible visited vulnerability want web website websites well what when where which why wild wild” will wins” within work working works worrying write year years you your yourself zero zones “easy “in “memory “patch “renderer “use “zero |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.