How to Fix a Mac That’s Running Slow

Every device sooner or later begins to run slower and slower. Even the Mac, which is a highly-efficient Apple product, starts to slow down and becomes a real pain to use over time. If you are a heavy Mac user this is especially true and you are more likely to experience performance issues. There...

Microsoft Edge Chakra JIT Loop Analysis Bug

Microsoft Edge: Chakra: JIT: Loop analysis bug CVE-2018-0777 Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3...

Microsoft Edge Chakra JIT - Out-of-Bounds Write

Microsoft Edge Chakra JIT - Out-of-Bounds Write // Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optarr, ...

Microsoft Edge Chakra JIT - Incorrect Bounds Calculation

Microsoft Edge Chakra JIT - Incorrect Bounds Calculation / Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider b = a + 2. The value of 'b' should track // that it is equal to the value of 'a' ...

Microsoft Edge Chakra JIT - Out-of-Bounds Write

// Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optarr, 0, 100000; main; / What happens here is as...

Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)

; =================================================================== ; Optimized version of shellcode at: ; http://shell-storm.org/shellcode/files/shellcode-867.php ; Author: SLAE64-1351 Keyman ; Date: 14/09/2014 ; ; Length: 105 bytes got shorter by 13 bytes ; ; What's new is that some...

Meltdown and Spectre fallout: patching problems persist

Last week, the disclosure by multiple teams from Graz and Pennsylvania University, Rambus, Data61, Cyberus Technology, and Google Project Zero of vulnerabilities under the aliases Meltdown and Spectre rocked the security world, sending vendors scurrying to create patches, if at all possible, and...

Microsoft Edge Chakra JIT BackwardPass::RemoveEmptyLoopAfterMemOp Failed Insert

Microsoft Edge: Chakra: JIT: BackwardPass::RemoveEmptyLoopAfterMemOp doesn't insert branches. CVE-2017-11909 The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ //...

Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions

Microsoft Edge Chakra JIT - OpMaxInAnArray and OpMinInAnArray can Explicitly call User-Defined JavaScript Functions / 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline...

Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined Jav

Exploit for windows platform in category dos / poc / 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline Phase. 2. The method takes the original method "Math.max" as the...

Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches

Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches / The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ // empty! These...

(RHSA-2018:0046) Important: rhev-hypervisor7 security update

The rhev-hypervisor7 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine KVM hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Re...

(RHSA-2018:0044) Important: redhat-virtualization-host security update

The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts RHVH are installed using a special build of Red Hat Enterprise Linux with only the packages required to host...

RedHat Update for kernel RHSA-2018:0007-01

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password...

F5 Networks BIG-IP : LibTIFF vulnerability (K11220361)

The NeXTDecode function in tifnext.c in LibTIFF allows remote attackers to cause a denial of service uninitialized memory access via a crafted TIFF image, as demonstrated by libtiff5.tif. CVE-2015-1547 Impact This vulnerability allows a remote attacker to cause a denial-of-service DoS attack.BIG-...

[SECURITY] Fedora 27 Update: optipng-0.7.6-5.fc27

OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. This program also converts external formats BMP, GIF, PNM and TIFF to optimized PNG, and performs PNG integrity checks and corrections...

Microsoft Edge: Chakra: JIT: Incorrect function declaration scope(CVE-2017-11870)

In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x ". This bug may lead to type confusion in JITed code. function fx printx; function x printx; The following code in...

[SECURITY] Fedora 26 Update: varnish-5.1.3-4.fc26

This is Varnish Cache, a high-performance HTTP accelerator. Varnish Cache stores web pages in memory so web servers don=EF=BF=BD=EF=BF =BD=EF=BF=BDt have to create the same web page over and over again. Varnish Cache serves pages much faster than any application server; giving the website a...

Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC BLOCK c return o; For example, let's...