
FF Sandbox Escape - weinzierl
https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-escape-cve-2020-12388.html?m=1
======
Sniffnoy
Non-mobile link: [https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-
es...](https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-escape-
cve-2020-12388.html)

------
Thorrez
Off topic, does Firefox depend on Chromium code?

> As I’m a Chromium committer as well as an owner of the Windows sandbox I
> realized I might be better placed to fix this than Mozilla who relied on our
> code.

~~~
keeperofdakeys
Firefox uses some of the chromium code/libraries for the sandboxing on
Windows.

[https://wiki.mozilla.org/Security/Sandbox/Specifics](https://wiki.mozilla.org/Security/Sandbox/Specifics)

~~~
fluffything
I thought one of the main point of Firefox would be to not do this :D

~~~
vertex-four
Chromium contains a really solid implementation of OS process sandboxing,
which is rather secondary to the bits of building a web browser that we need
competition on. It could very reasonably be spun out into its own project, but
that takes time and effort so it stays part of Chromium.

------
etaioinshrdlu
It looks like this is not an actual exploit, but a hole in the sandbox that
first requires injecting custom code into the process?

~~~
albntomat0
I guess it depends on how you define "exploit." I'd personally consider
bypassing the sandbox an exploit, even though it's not a full chain.

------
starlig-ht
"Sandbox Escape" sounded like something fun but alas

------
ghostpepper
Off topic but does project zero ever publish vulnerabilities on google
products? More and more it seems like they mostly target google's competitors
(Firefox, iOS, etc)

~~~
jbroman
The very first sentence points to a PZ blog post about the Chrome sandbox.

~~~
jgon
The very first sentence points to a PZ blog post about a Windows vulnerability
that affects the Chrome sandbox, not an issue with their own code.

~~~
_jal
Is the claim that PZ is some sort of PR attack on other companies?

Because as someone who is highly skeptical of Google's motives a lot of the
time, that just seems like a batty take for anyone who is familiar with their
work.

~~~
lawnchair_larry
That’s been the claim for as long as they existed, and one that Microsoft
employees like to respond with in the media (and behind closed doors). It’s
not true though. I have talked to some of the early PZ folks and they are
unwavering in their devotion to sincerely held beliefs that they are making
the internet safer. They feel strongly that their hard disclosure deadline is
a critical component of this and they stick to those principles, even when it
is unfavorable to Google.

The _only_ reason that deadline exists is because many vendors have had a long
history of taking advantage of researchers who agree to embargo details of
their work while the vendors work on a fix. Bugs were going unfixed for years.

It has been my observation that this strategy only partially worked. The main
thing that happened is that vendors now won’t sit on Google reported vulns,
because they know Google are not bluffing, but they’re still generally happy
to take their sweet time if the report comes from someone else. I know of some
companies who put PZ bugs in a special queue to fast track them.

I think it has done a little bit in terms of setting norms for shorter
disclosure timelines though.

------
2close4comfort
Meh...escape must mean something different at Google

~~~
staticassertion
What do you mean?

