Bit of a logic bug/abuse resulting in the ability to write files with semi-controlled content in any directory regardless of privileges. Under normal circumstances when a suid binary crashes, it will be considered non-dumpable, more generally speaking, when a process has a difference between its real and effective group or user ids it will not be dumped.
Archive Utility on macOS had a bug when encountering long file paths during extraction that would result in the extracted files not recieving the `com.apple.quarantine` attribute that Gatekeeper looks for.
These are five issues that enabled file writes outside of the expected directory when NPM was unpacking an archive using the `node-tar` library.
The AWS WorkSpaces desktop application registers a custom URI on the host system and does not properly sanitize the parameters leading to argument injection. As the WorkSpaces client is based on Chromium Embeded Framework the debugging argument `--gpu-launcher` can be used to issue arbitrary commands.
Straightforward use-after-free in libcurl when processing MQTTs.The `mqtt_doing()` routine will attempt to send any remainder of outgoing packet data using the `mq->sendleftovers` pointer, freeing that pointer, but then never clearing the reference...
The cool part of this paper is the speculative type confusion attack where the browser's optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.
This is another one of those, IDE/tooling doing more than you expect issues.In Rust you have `#[proc_macro]`s which are functions that are executed at compile time...
Kind of a neat attack to track users across browsers.Potentially fairly loud for most users though...
Gatekeeper would misclassify certain types of applications allowing them to run without any restriction. Specifically you can cause a confusion in the policy engine regarding whether the app is bundled or not...