So I’m listening to the presentation by Tavis Ormandy and Julien Tinnes and they are discussing kernel bugs and how the attack surface is growing in general and even in systems that have been designed with security in mind.
One thing I thought interesting was the fact that their deck has the google logo all over it.
The other interesting item to note was the number of kernel bugs still under investigation:
Remember that after the blow up over Tavis’ release of a zero day done “on his free time” other security researchers jumped on the zero day band wagon… MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”
Okay so I was giving Tavis the benefit of the doubt that he was doing this on “his free time”, but not now. If this was truly on his free time, you’d not put your company logo on the slide deck. If you’ve ever seen a presentation of mine done in the SMB space I do not put my real firm’s logo on that deck. This blog is on my free time and thusly speaking gigs I get as a result do not have my firm’s logo on it.
So at least for those particular upcoming kernel bugs that he’s pointing out there… dude…that is not on your personal time. You are google finding flaws in Windows and Linux kernels because Chrome’s sandboxing depends more on the security of the kernel.