

A Tale of Two Exploits - 2510c39011c5
http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html

======
quanticle
This is a quintessential example of why it's a very bad thing for the NSA to
hoard zero-days. It's easy to forget that the black hats are looking for zero
days too, and the fact that you've found an undisclosed vulnerability doesn't
mean that that you're the the only one to have found this vulnerability, or
even that you're the first one.

In the example from the article, it's likely that the black hats found the
zero day first, and were in the process of updating their attack toolkits when
the Project Zero team came across the issue and notified Adobe. If it had been
the NSA that found this issue, no one would have been notified, and the black
hats would have had days or weeks to refine their attacks before a patch was
issued.

------
SloopJon
I'm not familiar with the term bug collision, and I don't quite grok it from
context. Is this another way of saying independent discovery?

~~~
rudolf0
Yes.

------
CGamesPlay
I'm no security researcher, but the proof of concept looks like there just
exists this API where you get to set a memory address and call from a limited
pool of functions. Based on that observation, this hardly seems like an
exploit--it looks like "as designed". What made Adobe/Macromedia/whoever
originally decide that this interface was "secure"? Am I missing something?

~~~
jbangert
Well, the ability to call a set of functions (really, to overwrite a vtable
pointer with a constrained set of values - which is a table of function
pointers your C++ compiler emits to handle virtual function calls) is the
underlying vulnerability. The article describes a proof of concept exploit -
an approach of turning this into a concrete security problem (arbitrary
command execution/calling libc).

