Cr0 - blog.cr0.org - cr0 blog
General Information:
Latest News:
Introducing Chrome's next-generation Linux sandbox 7 Sep 2012 | 05:50 am
Starting with Chrome 23.0.1255.0, recently released to the Dev Channel, you will see Chrome making use of our next-generation sandbox on Linux and ChromeOS for renderers. We are using a new facility,...
Javocalypse 10 Apr 2010 | 01:47 am
EDIT: Following its full disclosure Sun fixed Tavis' Java deployment toolkit bug (CVE-2010-0886 and CVE-2010-0887) in a matter of days, wow! No doubts this will be used in the future as an argument fo...
There's a party at Ring0, and you're invited 28 Mar 2010 | 11:21 pm
Tavis and I have just come back from CanSecWest. The title of our talk was "There's a party at Ring0, and you're invited". We went through some of the bugs that we have worked on this past year and m...
CVE-2010-0232: Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack 22 Jan 2010 | 04:48 am
Two days ago, Tavis Ormandy has published one of the most interesting vulnerabilities I've seen so far. It's one of those rare, but fascinating design-level errors dealing with low-level system inter...
Virtualization security and the Intel privilege model 29 Nov 2009 | 02:59 am
Earlier this month, Tavis and I spoke at PacSec 2009 in Tokyo about virtualisation security on Intel architectures, with a focus on CPU virtualisation. During this talk, we briefly explained various ...
CVE-2009-2267: Mishandled exception on page fault in VMware 31 Oct 2009 | 07:43 am
Tavis Ormandy and myself have recently released an advisory for CVE-2009-2267. This is a vulnerability in VMware's virtual CPU which can lead to privilege escalation in a guest. All VMware virtualisa...
Security in Depth for Linux Software 14 Oct 2009 | 09:49 pm
Chris Evans and myself have presented last week at Hack In The Box Malaysia about "Security in Depth for Linux software". You can find the slides here. The talk was focused on writing good code and s...
CVE-2009-2793: Iret #GP on pre-commit handling failure: the NetBSD case 17 Sep 2009 | 05:20 am
A few months ago, Tavis Ormandy and myself have used the fact that iret can fail with a General Protection (#GP) exception before the processor "commits" to user-mode (switches privileges by setting C...
CVE-2009-2698: udp_sendmsg() vulnerability 28 Aug 2009 | 11:43 pm
EDIT: p0c73n1 has posted an exploit for this to milw0rm as did andi@void.at, and spender wrote "the rebel" Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at th...
Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692) 14 Aug 2009 | 05:41 am
EDIT2: Here is RedHat's official mitigation recommendation EDIT3: Brad Spengler also wrote an exploit for this and published it. The bug triggering is based on our exploit which leaked to Brad though ...
