Hacker News new | past | comments | ask | show | jobs | submit login
Finding and Exploiting Safari Bugs Using Publicly Available Tools (googleprojectzero.blogspot.com)
64 points by mbrubeck on Oct 8, 2018 | hide | past | favorite | 9 comments

Do Project Zero's blog posts not focus on Google products purposefully, or is that just a perceived bias?

I understand and appreciate the work Project Zero does; it makes us all safer when these bugs are found, and fixed. It just seems like the only project zero blog posts that make the front page are aimed at Microsoft or Apple.

From their first blog post [1]:

"We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers"

--- [1] https://googleprojectzero.blogspot.com/2014/07/announcing-pr...

Well there's the rather famous Intel issue that got some upvotes. I think they focus on platforms with a lot of users since that has the most benefit.

They have published blog posts on google products before (just glancing at that page, you can see there is one about chromeos).

You can also see in the dom fuzzing blog post this page links to (https://googleprojectzero.blogspot.com/2017/09/the-great-dom...), that they fuzzed chrome as well and found bugs.

But they really just don't publish that many blog posts in the relative scheme of things, relative to the number of issues they find/report.

They find and report (publicly) plenty of Google product issues.

So i'm not sure you can really draw anything just from the small sample of blog posts they do write.

Having done a bunch of fuzzing myself, my guess would be Google is picking up their problems before they get to a release in the main, and most people don't discuss bugs they find in internal testing.

Actually, project zero does not give google any better treatment than anyone else.

(IE Google bugs have the same disclosure rules/timelines/etc)

SVG's SMIL bites again (the bug used to write the exploit). This ancient animation system is incredibly hard to implement without security bugs due how GC interacts with the SVG SMIL DOM apis (animVal, baseVal, etc). SMIL is one of the reasons Chromium implemented C++ garbage collection.

With finite engineering resources, there's always a tradeoff between maintaining backwards compatibility and making forward progress. I think SMIL would be something better left behind.

Do you imagine that Apple has finite engineering resources? The last I heard was it is the richest company on earth. They’re just satisfied with the status quo in which Google does all of their security work and nobody cares because of decades-old misperceptions about Mac vs Windows malware safety.

Money alone doesn't create more qualified engineering applicants. They may be able to use money to poach those resources but the candidate pool for this sort of work is extremely finite.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact