Embarrassment to Microsoft: most of the bugs in the windows was Google

Most bugs and security holes are fixed in the latest update and Weindoos found by Google engineers, even received credit for

Microsoft confusion: for the last software update issued by the Windows operating system, which includes dozens of fixes and plugging security holes in the system, Internet Explorer and Office software package, deserve credit mainly to ... Google.
Apparently Google engineers are the most active bugs reported to Microsoft, but recent amendment they broke a new record - and reported no less than 37 bugs, they are more than half from 64 problems treated this time. Tuz G'orz'i, Google security engineer who calls himself "Hacker and Weindoos" found himself 32 faults defined at the level of high importance. Jennawil Koldoweind, information security engineer company, found five more. "If you are curious about the 32 bugs found Boweindoos, maybe you should you get SyScan security conference this year," suggested Koldoweind Google Plus status of his account. "
Google for a long history with the unveiling bugs in Microsoft products. In 2010, for example, an engineer revealed serious security bug in Boweindoos, declared it and gave Microsoft five days before publish online repair software code that can take advantage of the loophole. Microsoft, for its part, is trying to counter with finding bugs in Google products. July 2012 claimed Microsoft engineer who exposed Trojan horse virus spammer and malware via Android phones - but Google has denied the claim.
Microsoft does not hide the credit due to leather debugger. Its software updates should be indicating those. "When we see Safety Professionals get Microsoft updates recognition, it means they have secretly reported vulnerability exists, worked with us to develop repair and help us spread information when the vulnerability was eliminated," Microsoft said.

Vulnerabilities


Keeping Internet users safe is more than just making sure Google's products are secure. Google engineers also contribute to improving the security of non-Google software that our products and users rely on.
Provided below is a list of software vulnerabilities discovered or fixed by Googlers, along with presentations we've given at industry security conferences. You can also find publications about security, cryptography, and privacy work in Google's main research portal.

Googler Product Date Reference Description More info

Niels Heinen opencryptoki 2012-09-27 CVE-2012-4454, CVE-2012-4455 Local privilege escalation CVE

Thai Duong Chrome, Firefox 2012-09-21 CVE-2012-4929 TLS Compression Information Leak CVE

Abhishek Arya Firefox 2012-08-28 CVE-2012-1972, CVE-2012-1973, many Memory corruption Mozilla advisory

Cris Neckar Microsoft IE 2012-08-15 CVE-2012-2523 Memory corruption MS bulletin

Billy Rios Tridium Niagara 2012-08-15 CVE-2012-4027 Privilege Escalation US-CERT

Billy Rios Tridium Niagara 2012-08-15 CVE-2012-4028 Weak Cred Storage US-CERT

Billy Rios Tridium Niagara 2012-08-15 CVE-2012-3025 Plaintext Credential Storage US-CERT

Billy Rios Tridium Niagara 2012-08-15 CVE-2012-3024 Authentication Bypass US-CERT

Mateusz Jurczyk, Gynvael Coldwind Adobe Reader 2012-08-14 CVE-2012-4149, CVE-2012-4160 Multiple memory corruption vulnerabilities Adobe Bulletin

Mateusz Jurczyk Microsoft Windows 2012-08-14 CVE-2012-2527 Win32k Use After Free Vulnerability MS bulletin

Mateusz Jurczyk, Gynvael Coldwind Google Chrome 2012-08-06 CVE-2012-2851, CVE-2012-2855, CVE-2012-2856, CVE-2012-2862, CVE-2012-2863, many more. Multiple memory corruption vulnerabilities Chrome Blog

Abhishek Arya, Adam Barth, Cris Neckar, David Levin, Julien Chaffraix, Stephen Chenney, Thomas Sepez Safari 6 (WebKit) 2012-07-25 many Memory corruption Apple Advisory

Abhishek Arya Firefox 2012-07-17 CVE-2012-1951, CVE-2012-1954, CVE-2012-1953, CVE-2012-1952 Memory corruption Mozilla advisory

Mateusz Jurczyk libexif 2012-07-12 CVE-2012-2812, CVE-2012-2813, CVE-2012-2814 Memory corruption, information leak vulnerabilities Bugtraq

Niels Heinen Apache 2012-06-13 CVE-2012-2687 XSS in mod_negotiate Apache bug tracker

Mateusz Jurczyk Microsoft Windows 2012-06-12 CVE-2012-1867 Font Resource Refcount Integer Overflow Vulnerability MS bulletin

Billy Rios Windows 2012-06-12 CVE-2007-2219 Remote Code Execution MS bulletin

Abhishek Arya Firefox 2012-06-05 CVE-2012-1947, CVE-2012-1940, CVE-2012-1941 Memory corruption Mozilla advisory

Kees Cook nVidia graphics drivers 2012-05-17 CVE-2012-0951, CVE-2012-0952, CVE-2012-0953 Privilege escalation via ioctl races Bug tracker

Andrew Lyons & Drew Hintz Microsoft Hotmail 2012-05-01 CVE-2012-2520 Persistent XSS

Tavis Ormandy OpenSSL 2012-04-19 CVE-2012-2110 ASN.1 parsing bug in OpenSSL

Ken Mixter & Daniel Kurtz Xorg 2012-04-18 CVE-2012-2118 format string flaw when logging input device names Blog

Billy Rios Siemens WinCC 2012-04-18 CVE-2011-4508 Authentication Bypass US-CERT

Billy Rios Siemens WinCC 2012-04-18 CVE-2011-4509 Weak Credentials US-CERT

Billy Rios Siemens WinCC 2012-04-18 CVE-2011-4510 XSS US-CERT

Billy Rios Siemens WinCC 2012-04-18 CVE-2011-4511 XSS US-CERT

Billy Rios Siemens WinCC 2012-04-18 CVE-2011-4513 Client side attacks via specially crafted files US-CERT

Niels Heinen Apache (debian) 2012-04-15 CVE-2012-0216 Code execution on specific setups Debian advisory

Mateusz Jurczyk, Gynvael Coldwind FFmpeg, libav 2012-04-14 CVE-2011-3930 up to CVE-2011-3952; many more. Multiple memory corruption vulnerabilities Link

Billy Rios Adobe Reader 2012-04-10 CVE-2011-4371 Heap Overflow Adobe Bulletin

Fermin Serna Adobe Flash 2012-04-05 CVE-2012-0724, CVE-2012-0725 Adobe Flash sandbox escapes Adobe Bulletin

Billy Rios Invensys Information Portal 2012-04-02 CVE-2012-0225 XSS US-CERT

Billy Rios Invensys Information Portal 2012-04-02 CVE-2012-0226 SQLi US-CERT

Billy Rios Invensys Information Portal 2012-04-02 CVE-2012-0228 Priv Escalation US-CERT

Mateusz Jurczyk FreeType2 2012-03-08 CVE-2012-1126 up to CVE-2012-1144 Multiple memory corruption vulnerabilities

Abhishek Arya, Adam Klein, Cris Neckar, Dave Levin, Lei Zhang, Jeremy Apthorp, Julien Chaffraix, Lei Zhang Safari 5.1.4, iTunes 10.6 (WebKit) 2012-03-07 many Memory corruption Apple advisory

Kees Cook glibc 2012-03-05 CVE-2012-0864 FORTIFY_SOURCE bypass via format string nargs integer overflow. NOTE: fix vuln only, did not find. Link

Mateusz Jurczyk OpenType Sanitizer 2012-03-02 CVE-2011-3062 Off-by-one in function pointer array management Chrome bug tracker

Fermin Serna Adobe Flash 2012-02-23 CVE-2012-0769 Information leak Link

Eduardo Vela Adobe Flash 2012-02-15 CVE-2012-0755 Flash Origin Spoofing Adobe Bulletin

Billy Rios Invensys HMI Reports 2012-02-08 CVE-2011-4038 XSS US-CERT

Billy Rios Invensys HMI Reports 2012-02-08 CVE-2011-4039 Memory Corruption US-CERT

Ben Hawkes Firefox 2012-01-31 CVE-2012-0443 Memory corruption Mozilla advisory

Meder Kydyraliev Struts2/XWork 2012-01-22 CVE-2011-3923 Remote code execution Link

Ben Laurie OpenSSL 2012-01-04 CVE-2011-4109 Double free

Mateusz Jurczyk Microsoft Windows 2011-12-13 CVE-2011-2018 Windows Kernel Exception Handler Vulnerability MS bulletin

Michal Zalewski Firefox / Chrome / Safari / Opera/ Internet Explorer 2011-12-06 CVE-2011-4692 CVE-2011-4691 CVE-2011-4690 CVE-2011-4689 CVE-2011-4688 Cache timing attack LInk

Billy Rios Safari 2011-11-17 CVE-2010-0045 Remote Code Execution Apple advisory

Billy Rios Safari 2011-11-16 CVE-2010-1778 File Theft Apple advisory

Eduardo Vela Netflix 2011-11-11 Script Inclusion and XSS

Ben Hawkes Adobe Flash 2011-11-10 CVE-2011-2456 Memory corruption Adobe Bulletin

Felix Groebert Apple FileVault 2011-10-14 CVE-2011-3212 Information leak

Billy Rios Safari, AppleTV 2011-10-12 CVE-2011-0216 Heap Overflow LibXML Apple advisory

Abhishek Arya, Adam Barth, Cris Neckar, Dimitri Glazkov, Dominic Cooney, Kent Tamura, Philip Rogers, Raman Tenneti, Sadrul Habib Chowdhury Safari 5.1.1, iTunes 10.5 (WebKit) 2011-10-11 many Memory corruption Apple advisory

Ben Hawkes Firefox 2011-09-27 CVE-2011-3003 Memory corruption Mozilla advisory

Ben Hawkes nginx 2011-09-11 CVE-2011-4315 Memory corruption Link

Ben Hawkes Squid 2011-08-28 CVE-2011-3205 Memory corruption Link

Eduardo Vela Facebook 2011-08-15 XSS and RPC spoofing Blog

Tavis Ormandy Adobe Flash 2011-08-12 CVE-2011-2424 (one CVE, dozens of bugs) Memory corruption Google Security Blog

Michal Zalewski Internet Explorer 2011-08-09 MS11-057 Defense in depth MS bulletin

Robert Swiecki Microsoft IE 2011-06-14 CVE-2011-1246 Universal XSS MS bulletin

Billy Rios Adobe Reader 2011-06-14 CVE-2011-2101 Remote Code Execution Adobe Bulletin

Chris Evans libxml 2011-05-27 Integer problems / memory corruption Blog

Niels Heinen python 2011-05-24 CVE-2011-1521 File disclosure in urllib redirect handling Python Blog

Eduardo Vela easyXDM 2011-04-14 XSS and RPC spoofing Link

Felix Groebert Apple CoreGraphics and TypeServer 2011-03-23 CVE-2011-0175, CVE-2011-0176, CVE-2011-0202 Code execution

Chris Evans Chrome, Firefox, Internet Explorer, Opera, Safari 2011-03-09 Information leak Blog

Abhishek Arya, Chris Evans, Emil A Eklund, Erik Wong, Michal Zalewski, Mihai Parparita, Yuzo Fujishima Safari 5.0.4, iOS4.3, iTunes 10.2 (WebKit) 2011-03-09 many Memory corruption Apple advisory

Chris Evans Foxit PDF Reader 2011-03-05 Arbitrary file write Blog

Felix Groebert Ruby on Rails 2011-02-08 CVE-2011-0447 XSRF

Billy Rios Adobe Reader 2011-02-08 CVE-2011-0587 XSS Adobe Bulletin

Billy Rios Adobe Reader 2011-02-08 CVE-2011-0604 XSS Adobe Bulletin

Eduardo Vela Oracle Java Applets 2011-02-01 CVE-2010-4466 Java Universal XSS Vulnerability Oracle advisory

Eduardo Vela Marcaria.com 2011-01-12 Authentication Bypass

Michal Zalewski Internet Explorer 6, 7, 8 2011-01-01 MS11-018 CVE-2011-0346 Use-after-free Blog

Michal Zalewski Internet Explorer 2011-01-01 CVE-2011-0347 Graphics rendering problem Blog

Abhishek Arya, Cris Neckar, Rohit Makasana Safari 5.0.3, iOS4.2 (WebKit) 2010-11-22 many Memory corruption Apple advisory

Chris Evans Internet Explorer 2010-10-21 Cross-origin Infomation Disclosure Blog

Eduardo Vela Mozilla Firefox 2010-10-19 CVE-2010-3178 Cross-site Information Disclosure Mozilla advisory

Michal Zalewski Safari 5 (WebKit) 2010-10-07 CVE-2010-1119 CVE-2010-3811 Use-after-free Blog

Michal Zalewski Firefox 3.5, Safari 5 (WebKit) 2010-10-05 CVE-2010-1206 MFSA 2010-45 CVE-2010-3774 MFSA 2010-83 CVE-2010-2454 URL bar spoofing vulnerabilities Blog

Billy Rios Adobe Reader 2010-10-05 CVE-2010-3625 Remote Code Execution Adobe Bulletin

Chris Evans Internet Explorer 2010-09-29 Universal XSS Blog

Ben Hawkes Linux kernel 2010-09-14 CVE-2010-3301 Local privilege escalation Link

Ben Hawkes Linux kernel 2010-09-07 CVE-2010-3081 Local privilege escalation Link

Michal Zalewski Firefox 3.6 2010-09-07 MFSA 2010-49 CVE-2010-3169 MFSA 2010-64 CVE-2010-3175 Memory corruption Mozilla advisory

Ben Hawkes Linux kernel 2010-08-20 CVE-2010-2959 Local privilege escalation Link

Meder Kydyraliev JBoss Seam 2010-07-28 CVE-2010-1871 Remote code execution Blog

Meder Kydyraliev Struts2/XWork 2010-07-09 CVE-2010-1870 Remote code execution Link

Robert Swiecki FreeType2 2010-06-05 CVE-2010-2497 CVE-2010-2498 CVE-2010-2499 CVE-2010-2500 CVE-2010-2519 CVE-2010-2520 CVE-2010-2527 Memory corruption Link

Eduardo Vela Apple Safari 2010-04-15 CVE-2010-1394 HTML Serialization Bug Apple advisory

Michal Zalewski Firefox 3.5, Safari 5 (WebKit) 2010-04-15 MFSA 2010-31 CVE-2010-1125 CVE-2010-1422 Strokejacking Blog

Billy Rios Adobe Reader 2010-04-13 CVE-2010-0190 Remote Code Execution Adobe Bulletin

Billy Rios Adobe Reader 2010-04-13 CVE-2010-0191 Remote Code Execution Adobe Bulletin

Michal Zalewski Internet Explorer 6 2010-04-05 MS10-035 CVE-2010-1259 Uninitialized memory corruption vulnerability MS bulletin

Eduardo Vela Microsoft IE 2010-02-10 CVE-2010-3243 CSS Serialization Problem MS bulletin

Neel Mehta, Sumit Gwalani, Drew Hintz Microsoft Windows 2010-02-09 CVE-2010-0239, CVE-2010-0240, CVE-2010-0241 Remote code execution in tcpip.sys MS bulletin

Michal Zalewski Safari 5 (WebKit) 2010-02-03 CVE-2010-0544 Universal XSS Blog

Eduardo Vela Microsoft IE 2010-01-21 CVE-2009-4074, CVE-2010-1489 Universal XSS in IE 8 MS bulletin

Tavis Ormandy Windows kernel 2010-01-21 CVE-2010-0232 Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack Blog

Chris Evans Chrome, Firefox, Internet Explorer, Opera, Safari 2009-12-28 Cross-origin Infomation Disclosure Blog

Billy Rios FireFox 2009-11-25 CVE-2008-2933 Protocol Handling Issue Mozilla bug tracker

Tavis Ormandy, Julien Tinnes VMware 2009-10-30 CVE-2009-2267 Guest privilege escalation via VM86 Blog

Michal Zalewski Safari 4 (WebKit) 2009-09-24 CVE-2009-3384 Code execution

Julien Tinnes, Tavis Ormandy NetBSD and other kernels. 2009-09-16 CVE-2009-2793 Privilege escalation via precommit #GP. Link

Drew Hintz Microsoft Silverlight.net 2009-09-01 MSRC 9210 SQL Injection

Tavis Ormandy, Julien Tinnes Linux Kernel 2009-08-28 CVE-2009-2698 Privilege escalation Blog

Tavis Ormandy, Julien Tinnes Linux Kernel 2009-08-13 CVE-2009-2692 Privilege escalation in all 2.4 and 2.6 Linux kernels. Link

Peter Valchev libexpat 2009-08-06 CVE-2009-3720 Memory corruption/DoS, multiple NVD

Chris Evans Apple CoreGraphics 2009-08-05 Memory corruption Blog

Julien Tinnes, Tavis Ormandy Pulseaudio 2009-07-16 CVE-2009-1894 Privilege escalation Blog

Tavis Ormandy, Julien Tinnes Microsoft VirtualPC 2009-07-15 CVE-2009-1542 Guest privilege escalation MS bulletin

Chris Evans mimetex 2009-07-10 Memory corruption, information disclosure Link

Chris Palmer Android 2009-07-06 CVE-2009-2348 Authorization bypass

Julien Tinnes, Tavis Ormandy Linux kernel 2009-06-26 CVE-2009-1895 mmap_min_addr bypass Blog

Chris Evans Safari 2009-06-09 Cross-origin Infomation Disclosure Blog

Chris Evans Safari 2009-06-08 File theft Blog

Michal Zalewski Safari 4 (WebKit) 2009-05-20 CVE-2009-1684 Universal XSS

Chris Evans Java 2009-03-27 Memory corruption Blog

Chris Evans LittleCMS (lcms) 2009-03-17 Memory corruption Blog

Chris Evans Linux kernel 2009-02-24 Bypass signal restrictions Blog

Michal Zalewski Internet Explorer 2009-02-12 MS09-014 CVE-2009-0551 Memory corruption MS bulletin

Chris Evans Linux kernel 2009-01-23 Syscall filter bypass Blog

Chris Evans Firefox 2008-12-07 Cross-origin Infomation Disclosure Blog

Billy Rios Java 2008-12-05 CVE-2008-5343 GIFAR NVD

Chris Evans Firefox 2008-11-17 Cross-origin Infomation Disclosure Blog

Michal Zalewski, Chris Evans Firefox 2 2008-11-12 MFSA 2008-48 CVE-2008-5012 Cross-domain data disclosure Mozilla advisory

Chris Evans Python 2008-10-20 Memory corruption Blog

Ben Laurie Various OpenID providers 2008-08-08 CVE-2008-3280 Weak SSL keys in OpenID providers

Chris Evans libxslt 2008-07-31 Memory corruption Blog

Michal Zalewski Mac OS X 2008-05-18 CVE-2008-2321 Code execution

Chris Evans Java 2008-03-05 Memory corruption Blog

Chris Evans Ghostscript 2008-02-27 Memory corruption Blog

Michal Zalewski Firefox 2 2008-02-07 MFSA 2008-02 CVE-2008-0414 Strokejacking Mozilla advisory

Michal Zalewski Firefox 2 2008-02-07 MFSA 2008-08 CVE-2008-0591 Trusted UI problem Mozilla advisory

Martin Straka Firefox 2008-02-01 CVE-2008-0593 Information leak Mozilla advisory

Peter Valchev libcairo 2007-11-16 CVE-2007-5503 Memory corruption NVD

Chris Evans pcre 2007-11-07 Memory corruption Link

Michal Zalewski Mac OS X 2007-11-06 CVE-2007-5854 XSS

Billy Rios Windows 2007-10-11 CVE-2007-3896 Remote Code Execution NVD

Billy Rios Java 2007-10-03 CVE-2007-5232 DNS Rebinding NVD

Michal Zalewski Safari 3 (WebKit) 2007-07-12 CVE-2007-3758 CVE-2007-3760 CVE-2007-3756 Universal XSS

Billy Rios FireFox 2007-07-10 CVE-2007-3670 protocol Handling Issue NVD

Martin Straka Java 2 Platform, Standard Edition 2007-06-01 Security Sun Alert 201348 XSS Oracle advisory

Chris Evans Java 2007-05-15 Memory corruption Link

Robert Swiecki Linux kernel 2007-03-27 CVE-2007-1734 Linux kernel memory disclosure Security Focus

Chris Evans OpenBSD kernel 2006-10-07 Memory corruption Link

Tavis Ormandy gzip 2006-08-28 CVE-2006-4336, CVE-2006-4337, CVE-2006-4338 Memory corruption Link

Tavis Ormandy libtiff 2006-06-16 CVE-2006-3460, CVE-2006-3461, CVE-2006-3462 Memory corruption Link

Chris Evans libgif 2005-11-06 Memory corruption Link

Token From: http://www.google.com/about/appsecurity/research/

0 comments:

Post a Comment