CanSecWest

MS13-037 addressing Pwn2own vulnerabilities

MS13-037 addresses a number of vulnerabilities in Internet Explorer, several of which were reported to us by the TippingPoint Zero Day Initiative (ZDI) program. We’ve gotten questions from customers about the specific vulnerabilities purchased by ZDI from the CanSecWest pwn2own contest. We’d like to use this blog post to provide more background on the set …

MS13-037 addressing Pwn2own vulnerabilities Read More »

MS11-018 addresses the IE8 pwn2own vulnerability

Today Microsoft released MS11-018 addressing one of the three vulnerabilities that were used to win the Pwn2Own contest last month at CanSecWest 2011. It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability …

MS11-018 addresses the IE8 pwn2own vulnerability Read More »

Hacker Olympics: a shout-out from Vancouver, BC!

Handle:Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni Handle:Mando Picker IRL: Dustin Childs Rank: Security Program Manager Likes: Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins Dislikes: Using …

Hacker Olympics: a shout-out from Vancouver, BC! Read More »

Numbers, Big Numbers, at the RSA Conference 2010

Handle:Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni San Francisco has always been a somewhat odd but pleasant outpost with an appeal that attracts people from all over. It was …

Numbers, Big Numbers, at the RSA Conference 2010 Read More »

Snowpacalypse Now (I love the smell of briefings in the morning)

Handle:Avatar IRL: Karl Hanmore Rank: Senior Security Strategist (aka Sergeant Grunt) Likes: Getting the job done, bringing the fight to the bad guys, good single malt whiskey Dislikes: Cowards, talkers not doers, red tape, humidity Handle:Mando Picker IRL: Dustin Childs Rank: Security Program Manager Likes: Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins …

Snowpacalypse Now (I love the smell of briefings in the morning) Read More »

MS09-019 (CVE-2009-1532): The “pwn2own” vulnerability

IE8 behavior notes MS09-019 contains the fix for the IE8 vulnerability responsibly disclosed by Nils at the CanSecWest pwn2own competition (CVE-2009-1532). Nils exploited this vulnerability on an IE8 build that did allow .NET assemblies to load in the Internet Zone. The final, released build of IE8 does not allow .Net assemblies to load in the …

MS09-019 (CVE-2009-1532): The “pwn2own” vulnerability Read More »

The History of the !exploitable Crash Analyzer

At the CanSecWest conference earlier this month we made our first public release of the !exploitable Crash Analyzer. While an upcoming white paper and the CanSecWest slide deck go into detail on the technology involved, we thought it might be useful to explore the history of the tool. Roots in Fuzzing The technology and research …

The History of the !exploitable Crash Analyzer Read More »

Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass

Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.exe process. …

Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass Read More »