Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Nov 2014 07:54:54 -0800
From: Michal Zalewski <>
To: oss-security <>
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

> I know that this sounds awfully impractical (at least for the time
> being, because the landscape here is changing pretty rapidly), but
> some would say that the best advice they can give to "average users"
> now is to watch "untrusted" movies with web browsers which are
> employing well-reviewed and tested sandboxing technologies and their
> media decoders are well tested (also: fuzzed). I guess "regular" media
> players will follow with this approach in some time.

Well, but that's a tough argument.

First, as you note, the primary way that things like ffmpeg have
improved is fuzzing. In fact, if anything, ffmpeg has been
*exceptionally* bad before that, would definitely fail the "designed
for security" test, and by that criteria, should not have been used in
any browser to begin with. So, it's probably not a very good argument
against fuzzing bad software =)

Secondly - as most people on this list know, sandboxing is a tricky
beast. Firefox doesn't have it. Safari and Opera don't have it (that I
know of). MSIE has a fairly limited one. Chrome has a good sandbox on
most platforms, but today, it is certainly far from being a silver
bullet - an RCE in a sandboxed renderer still gives access to many of
your online assets (doubly so if you advise people to conduct their
business in browser-accessible VMs, cloud services, or so).

They are working on something better, but the difficulty of making
that happen for a fairly specific use case certainly emphasizes how
tricky sandboxing can be with today's monolithic, multi-purpose apps.
People have been talking about lightweight, dynamic
compartmentalization-on-the-fly for other tools for a very long time,
but not much has gained widespread acceptance so far. Most OSes ship
with a dizzying array of containment mechanisms, most of which are
completely unused spare for a handful binaries built by teams
passionate about infosec. I'm not sure if we have the power to change


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.