A EULOGY FOR PATCH-GAPPING CHROME
February 24, 2020
Authors: István Kurucsai and Vignesh S Rao In 2019 we looked at patch gapping Chrome on two separate occasions. The conclusion was that exploiting 1day vulnerabilities well
Patch-gapping Google Chrome
September 9, 2019
Patch-gapping is the practice of exploiting vulnerabilities in open-source software that are already fixed (or are in the process of being fixed) by the developers
Pwn2Own 2019: Microsoft Edge Sandbox Escape (CVE-2019-0938). Part 2
May 27, 2019
This is the second part of the blog post on the Microsoft Edge full-chain exploit. It provides analysis and describes exploitation of a logical vulnerability
Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1
May 19, 2019
This year Exodus Intelligence participated in the Pwn2Own competition in Vancouver. The chosen target was the Microsoft Edge browser and a full-chain browser exploit was
Windows Within Windows – Escaping The Chrome Sandbox With a Win32k NDay
May 17, 2019
This post explores a recently patched Win32k vulnerability (CVE-2019-0808) that was used in the wild with CVE-2019-5786 to provide a full Google Chrome sandbox escape
A window of opportunity: exploiting a Chrome 1day vulnerability
April 3, 2019
This post explores the possibility of developing a working exploit for a vulnerability already patched in the v8 source tree before the fix makes it
CVE-2019-5786: Analysis & Exploitation of the recently patched Chrome vulnerability
March 20, 2019
This post provides detailed analysis and an exploit achieving remote code execution for the recently fixed Chrome vulnerability that was observed by Google to be
HPE Intelligent Management Center: a case study on the reliability of security fixes
October 16, 2018
This post highlights several mistakes in the patches released for vulnerabilities affecting various services of HPE Intelligent Management Center, with a focus on its native
To ../ or not to ../, that is the question
September 13, 2018
Contributors: Grant Willcox and Gaurav Baruah Intro During our day-to-day research of N-day vulnerabilities at Exodus, we often come across public advisories containing incorrect root
True Key: the not so uncommon story of a failed patch
September 10, 2018
In this blog post, we examine the vendor-supplied patch addressing CVE-2018-6661. The vulnerability was initially reported to Intel Security (McAfee) in June 2017 and disclosed publicly