HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

The importance of languages for the professional developer

How building a small custom fuzzer demonstrates the importance of fluency in multiple programming languages. 

There’s No Place Like Localhost: A Welcoming Front Door To Medium Integrity

This year, Abdul Aziz Hariri, Jasiel Spelman, and myself (Matt Molinyawe) of the Zero Day Initiative were involved in producing an exploit for this year’s Pwn4Fun. It demonstrated our work and that people from major companies could produce a full exploit in the name of charity, good will, and trying to make positive change in software without asking for anything in return. The Zero Day Initiative had also disclosed 6 additional Microsoft Internet Explorer vulnerabilities found by Abdul Aziz Hariri over the two weeks prior to this event.

Efficacy of MemoryProtection against use-after-free vulnerabilities

As of the July 2014 patch of Internet Explorer, Microsoft has taken a major step in the evolution of exploit mitigations built into its browser. The new mitigation technology is called MemoryProtection (or MemProtect, for short) and has been shown to be quite effective against a range of use-after-free (UAF) vulnerabilities. Not all UAFs are equally affected, however. Here we’ll discuss what MemoryProtection is and how it operates, and evaluate its effectiveness against various types of UAFs.

Labels: IE| MemoryProtection| UAF| ZDI

Four years and counting: ZDI leads Frost & Sullivan disclosure field

HP Security Research has just learned that our Zero Day Initiative (ZDI) team has received the Global Frost & Sullivan Company of the Year Award for 2013 – the fourth year in a row we’ve been honored as the pre-eminent public vulnerability research program.  The award is an honor; reading Frost & Sullivan's report on the current state of vulnerability research is a treat.

Double-Dip: Using the latest IE 0-day to get RCE and an ASLR Bypass

Could the latest 0-day used in the wild be stealthier?

The attack discovered last week used two vulnerabilities but it could have been stealthier. A bug was exploited in flash to bypass ASLR and another in IE to gain RCE. ZDI's research proved that the IE bug can be exploited to bypass ASLR+DEP without using a Flash bug.

Labels: 0day| ASLR| DEP| exploit| IE| IE0day| ZDI

HP Security Research Threat Intelligence Briefing episode 10 - ZDI 2013 in review

It’s that time again, when we look at the vulnerability year that was and muse about the vulnerability year that will be. 2013 was a huge year for the Zero Day Initiative – we purchased more cases this year than in any other since the inception of the ZDI program 10 years ago. And what cases they were – vulnerabilities unearthed in widespread critical software used by enterprises and the greater computing community alike.  In this month’s Threat Briefing we walk 2013’s vulnerabilities, talk vendors, and think out loud about where this is going in 2014.

Pwn2Own’s New Exploit Unicorn Prize: Additional Background for Civilians

This year at Pwn2Own, we’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t. That said, an attacker able to win this prize (and $150,000 for their efforts) is able to break through Microsoft’s most powerful protections, including a tool built specifically to protect against sophisticated attacks.

Pwn2Own 2014: Rules and Unicorns

HP’s Zero Day Initiative is once again expanding the scope of its annual Pwn2Own contest, with a new competition that combines multiple vulnerabilities for a challenge of unprecedented difficulty and reward.

Labels: HPSR| pwn2own| ZDI

Mobile Pwn2Own Tokyo 2013 – Crash bang boom

The results are in. Catch up with all the news from Mobile Pwn2Own in this handy summary of the contest.

Mobile Pwn2Own 2013 Yields Exploits in Safari, Samsung S4 applications

Mobile Pwn2Own 2013 started out with a bang. HP’s Zero Day Initiative and competition co-sponsors Google and Blackberry awarded $67,500 USD for the disclosure of multiple 0-day vulnerabilities and exploit techniques in the Safari browser and mobile applications.  We are excited to bring Pwn2Own to Japan to see the breadth of research from across the world, including exploits which reveal techniques that can help internal security teams improve their mitigations. 

Local Japanese team exploits mobile applications to install malware on Samsung Galaxy S4

Time to rethink how you use your browser on your mobile device. Social engineering + application exploit = malware

Welcome to Mobile Pwn2Own at PacSec Tokyo - Super, happy fun

It's the big day! Join us for all the excitement of HP's ZDI Mobile Pwn2Own contest at PacSec in Tokyo. We'll be blogging throughout the day with news and the results of the contest.

Trick or treat? Who’s afraid of mobile malware?

We thought today might be a good time to dig a little into the specter of mobile malware. Spooky stories abound, but is it really the tale of terror it's told to be?

Labels: Malware| mobile| security| ZDI

Pwn2Own 2013 Recap

So, what happened at Pwn2Own this year? The question really should be: "What didn't happen at Pwn2Own this year?" Now that the dust has settled, let's step back and look at the carnage resulting from Pwn2Own!

Labels: HPSR| pwn2own| ZDI

Pwn2Own 2013

Get ready for Pwn2Own 2013 at CanSecWest March 6th-8th in Vancouver, British Columbia where HP ZDI is offering more than half a million dollars (USD) in cash and prizes.

Labels: HPSR| pwn2own| ZDI

Formation of HP Security Research

We're pleased to announce the formation of HP Security Research (HPSR), a new group that will provide actionable security intelligence through published reports, threat briefings, and content delivered through the HP security product portfolio.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.