HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Displaying articles for: September 2013

Deep impact - the ZDI disclosure policy

The main objective of HP’s Zero Day Initiative is to reward security researchers for responsibly disclosing vulnerabilities.  Through this program, nearly 300 vulnerabilities have been discovered and patched between August 1, 2012 and August 31, 2013.


Keep reading to find out how responsible disclosure programs play a role in securing software – and what happened when we turned the focus on ourselves.


CVE-2013-3112: From NULL to Control - Persistence pays off with crashes

Months ago, my fuzzer found a bug that was initially flagged as a NULL pointer dereference. The crash instruction was different from the others, so I decided to minimize the crash and have a closer look. Things got quite interesting, and with some persistence, ended up in control of EIP (Extended Instruction Pointer).  This article walks through the whole analysis process from a null pointer crash to fully controlling execution. 

Labels: crashes| security

Visibility into the running application - finally!

HP Protect was a really good event this year - heaps of announcements, and some interesting developments on the application security front. The keynote on secure software development by Gary McGraw was highly entertaining and the interview afterwards with HP ESP CTO Jacob West is definitely worth checking out too.

As one of the main drivers behind the project bringing real application visibility to the ArcSight platform, the announcement on HP ArcSight Application View by Fortify’s GM Mike Armistead was of particular interest for me. This solution gives you visibility into applications running in your environment. It uses the HP Fortify runtime capabilities to extract information from an application in conjunction with ArcSight ESM to make sense of the data that is coming in.


Let’s focus on the HP Fortify component that extracts information from the application for a moment. The technology used under the hood is...


In part 1 of this post I described how the proposed WebRTC specification enables the development of real-time communication over browser-based peer-to-peer (P2P) connections that can support useful things like live video communication, Content Delivery Networks, screen casting and others without the need for third-party plugins. However, it’s not necessarily all smooth sailing with WebRTC and in this follow-up, I look at threats to some of the WebRTC components and what you can do to protect your software development against them.

A new way to share security intelligence

collaborative defense.pngIT professionals know that the security environment is more complicated than in the past. Attackers are constantly changing their attack methods and professionals have to evolve to remain ahead of the attacks. These attacks are more complex, which requires faster and more effective responses.


This is why HP developed HP Threat Central (HPTC). This platform allows organizations to share threat intelligence securely, confidentially and in real-time. Keep reading to find out how this new platform can help you build a comprehensive and trustworthy threat information sharing environment.

HP Security Research Threat Intelligence Briefing - Episode 7

In this briefing, we discuss various attacks that make use of the Domain Name System (DNS) and the severity of these attacks. DNS is a vital component of the Internet. While some consider DNS to be equivalent to a phone book, it is actually much more. DNS is arguably the most critical service on a network as it is necessary for establishing communications.  When the DNS is compromised, malicious actors can control communications for very large groups of people and applications. With domain hijacking, the attacker can even take over an organization’s domain without ever touching the organization directly.


DNS and search engines together control almost ALL communications on the Internet. If you control a DNS resolver, you can control all traffic using that resolver. If you control an authoritative DNS, you can control all users’ traffic destined for that domain. If you own the domain of the search engine (i.e. Google & Bing) you control ALL communications from users and applications on the Internet. DNS is the "key to the kingdom" and attackers are leveraging DNS to hijack users’ traffic and web domains. 



Labels: threatbriefings

Mobile Pwn2Own 2013

HP’s Zero Day Initiative (ZDI) announces the second annual Mobile Pwn2Own competition, to be held on November 13-14, 2013 at PacSec Applied Security Conference in Tokyo, Japan.  ZDI, along with Mobile Pwn2Own sponsors Google’s Android Security Team and BlackBerry are looking forward to another groundbreaking competition.


Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through great research and responsible disclosure. It’s the sister contest to ZDI’s Pwn2Own contest, which is now in its seventh year and a regular feature at CanSecWest.

Oh no! Not another security patch Tuesday blog post!

Patch Tuesday is upon us.  But don’t worry; this isn’t your typical blog post on the latest round of patches. It’s a look at the role the Zero Day Initiative plays in the process...plus some simple advice. Continue reading to join me on this journey. 

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Head of OpSec Research
  • I am a senior security content developer with Hewlett-Packard Security Research (HPSR). In this role, I write and edit security analysis and supporting content from researchers, including those from HP’s Zero Day Initiative (ZDI) program. The ZDI program augments HP’s Enterprise Security Products with zero-day research through a network of over 3,000 independent researchers around the world. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of the HPSR.
  • Kernelsmith is senior vulnerability researcher with Hewlett-Packard Security Research (HPSR). In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program. He also tries to automate whenever he can, pulling from the devops and virtualization arenas. Josh is also a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications. Prior to joining HP, Smith served in the U.S. Air Force for 10 years and subsequently became a security engineer at the John Hopkins University Applied Physics Laboratory. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Smith received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls.
  • Security Researcher, Software Security Research
  • Security Researcher, Zero Day Initiative
  • Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature developers for the Intrusion Prevention System.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.