HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Adobe's CVE-2015-5090 - Updating the Updater to become the bossman

In July 2015, Adobe patched many different bugs in Reader and Acrobat. One of those bugs, CVE-2015-5090, can allow code execution with SYSTEM privileges. This deep dive covers the discovery of the bug and how it can be used as a functioning exploit.

Naming and graphic design services for bugs now available

ZDI is now offering vulnerability naming and graphic design services for researchers who reach Gold status. No longer will your bug suffer in anonymity; we’ll hook you up with our crack design team to give your bug the name and logo it deserves.

A look back at Pwn2Own 2015

wrap.jpgFor two fantastic days in Vancouver, six researchers again demonstrated that when you enter Pwn2Own and are successful, you can count yourself among the best in the world. After a weekend’s worth of reflection, let’s step back and review the highlights.

Pwn2Own 2015: Day One results

Researcher Winning.PNGThe first day of Pwn2Own 2015 saw successful attempts by four entrants against four products, with payouts of $317,500 to researchers in the main competition.

Pwn2Own 2015: The lineup

ZDI Logo_4Blog_200px.jpgThe competition order for Pwn2Own 2015 was assigned by random drawing in the Pwn2Own room on Wednesday morning. This year found seven contestants targeting the various products in the competition, with some handling multiple challenges – twelve competitions in all.

Pwn2Own 2015: The final contestants

welcome to vancouver.jpgPwn2Own begins tomorrow, but registrations have closed. A total of seven groups and individuals have signed up to attempt exploits on the available targets. Here are those competing.

Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix

zdi-small.pngIn accordance with the Zero Day Initiative’s disclosure policies, we are releasing full details on the CVE-2015-0096 issue patched today in MS15-020. This issue concerns a Stuxnet vulnerability first allegedly addressed by MS10-046. We track this issue as ZDI-15-086.

CVE-2015-0096 issue patched today involves failed Stuxnet fix

zdi-small.pngA vulnerability disclosed to Microsoft by the Zero Day Initiative demonstrates that fully patched machines have been vulnerable to the CVE-2010-2568 – the LNK vulnerability first widely reported in Stuxnet -- for nearly five years.

Just another day at the office: A ZDI analyst’s perspective on ZDI-15-030

zdi-small.pngA vulnerability report received late last year by the Zero Day Initiative contained a particularly well-written and well-documented example of a Windows kernel issue. Let’s take a walk through ZDI-15-030.

HPSR, Microsoft, disclosure, and the $125,000 bug bounty

zdi-small.pngHP Security Research is pleased to announce that Zero Day Initiative (ZDI) team members Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun have won $125,000 from Microsoft’s mitigation-bypass bug bounty program. We discuss what they found and why they won’t keep the money.

Happy new year (and new guidelines) from the ZDI

As the Zero Day Initiative closes the books on the most successful year in its history, we thank our contributors – and lay plans to raise the bar on contributions in 2015.

Four years and counting: ZDI leads Frost & Sullivan disclosure field

HP Security Research has just learned that our Zero Day Initiative (ZDI) team has received the Global Frost & Sullivan Company of the Year Award for 2013 – the fourth year in a row we’ve been honored as the pre-eminent public vulnerability research program.  The award is an honor; reading Frost & Sullivan's report on the current state of vulnerability research is a treat.

Pwn2Own’s New Exploit Unicorn Prize: Additional Background for Civilians

This year at Pwn2Own, we’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t. That said, an attacker able to win this prize (and $150,000 for their efforts) is able to break through Microsoft’s most powerful protections, including a tool built specifically to protect against sophisticated attacks.

Deep impact - the ZDI disclosure policy

The main objective of HP’s Zero Day Initiative is to reward security researchers for responsibly disclosing vulnerabilities.  Through this program, nearly 300 vulnerabilities have been discovered and patched between August 1, 2012 and August 31, 2013.

 

Keep reading to find out how responsible disclosure programs play a role in securing software – and what happened when we turned the focus on ourselves.

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Head of OpSec Research
  • I am a senior security content developer with Hewlett-Packard Security Research (HPSR). In this role, I write and edit security analysis and supporting content from researchers, including those from HP’s Zero Day Initiative (ZDI) program. The ZDI program augments HP’s Enterprise Security Products with zero-day research through a network of over 3,000 independent researchers around the world. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of the HPSR.
  • Kernelsmith is senior vulnerability researcher with Hewlett-Packard Security Research (HPSR). In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program. He also tries to automate whenever he can, pulling from the devops and virtualization arenas. Josh is also a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications. Prior to joining HP, Smith served in the U.S. Air Force for 10 years and subsequently became a security engineer at the John Hopkins University Applied Physics Laboratory. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Smith received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls.
  • Security Researcher, Software Security Research
  • Security Researcher, Zero Day Initiative
  • Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature developers for the Intrusion Prevention System.
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.