[sago]

I'm not a 'security researcher', and have only a technical layman's grasp of the issue, but:

> "By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,”

The first and second sentence there feels like an 'and then a miracle happens' argument (http://star.psy.ohio-state.edu/coglab/Miracle.html). I get that, in some cases dangling pointers might allow you to get a bit of uploaded data to be treated like a bit of internal data. But it seems to me like a piece of extraordinary unlikely bad luck to allow this to execute arbitrary code.

So I don't dismiss that there is a theoretical risk, but can anyone suggest how much risk is in these risks. In particular, is the risk of such an exploit greater than the risk of an exploiter finding a new weakness? If not, then I can understand why there is no great urgency to patch these flaws.

[xyzzy123]

This is standard description of a UAF (use-after-free) flaw. Reliability can vary from "30% of the time, it works every time" to perfectly reliable. It just depends on the instance of the bug. It is one of the most common exploitable bug classes found via fuzzing.

Because so many browser fuzzing crashes are UAFs, people have put a lot of effort into developing reliable techniques for exploiting them.

See e.g: http://www.rapid7.com/db/modules/exploit/windows/browser/ms1... for a reasonably reliable example.

[sago]

Thank you, exactly what I needed to understand.

[ssclafani]

Google's Project Zero team has written some good blog posts on this topic if you want to read more:

http://googleprojectzero.blogspot.com/2015/06/what-is-good-m...

http://googleprojectzero.blogspot.com/2015/06/dude-wheres-my...

[jerf]

"but can anyone suggest how much risk is in these risks."

Twenty years ago maybe this argument carried the day. Don't even consider using it today. The tooling, techniques, and skill are far higher than you could dream if you are not in this world.

This is not quite the same thing we are talking about, but let me give you a different example. An obscure cross-site-scripting attack is no big deal, right? Well, courtesy of BeEF [1], if the XSS can be leveraged to get you to download a script, which is a low bar, BeEF can then be used to proxy web access in, allowing an attacker to lever up from "small XSS" to "crawling your intranet with the internal credentials of the compromised user".

Yow!

Do not ever count on difficulty of exploit as a defense anymore. In many cases the reason why these people aren't providing off-the-shelf exploits for this sort of thing isn't that it's too difficult to make practical, it is that in the security world it is now too trivial to be worth spelling out. Attacker capabilities (and pen testing capabilities) have skyrocketed in the past ten years, but the defense team still for the most part is operating like it's 1995 and the idea that a program might be used on a network is still like some sort of major revelation.

(I'm on the defense side personally. It feels about like this: https://youtu.be/MPt7Kbj2YNM?t=2m11s In theory, I am powerful, in theory I control the field, in theory all the advantages should be mine, but....)

[1]: http://beefproject.com/

[sago]

I wasn't considering anything, let alone 'making an argument'. Anyone who listens to non-specialists like me to determine security strategy is asking for trouble.

I also wasn't making any comment about 'banking on difficulty of exploit', what I was asking for was relative risk. I think that all code is exploitable. The question I had was, is the exploitation of a particular UAF bug sufficiently easy that it outweighs the base risk of a new exploit being found. If I have finite resources, understanding where to apply them to improve risk is important.

The other responses have answered my question in some detail.

[jerf]

I'm sorry, my tone was not intended as "what are you even talking about!?!". My tone is intended to convey that security penetration skills have become scarily good and "is it theoretical?" is almost no longer a question worth asking, because the skills, techniques, and tools to take what superficially seems to be a hairline crack into full-blown network ownership are unbelievably well developed.

As I said, I am on the defense side myself, and I will freely admit I can get a bit tetchy when doubt of the viability of a vulnerability occurs; I frequently find myself in the position of being a "team captain" trying to explain that, no, seriously y'all, the other team is coming to play, they've been working out, they take illegal steroids, they practice six days a week, they don't play by the rules and they're coming for our scalps and you're on your third beer telling each other how easy this is going to be... it's not exactly game-winning prep you're doing here....

[thefreeman]

This article is a perfect example of this: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-n...

The author was able to take an off by one error which allowed writing a single null byte all the way to full code execution. These guys are unbelievably good at what they do, and as you state, you can pretty much assume that any vulnerability is exploitable with sufficient effort and skill.

[airza]

Usually you set these up by aggressively spraying the heap by allocating objects so that copies of the code you're trying to execute are thousands or more of places that are also aligned to the page boundary. The heap doesn't do things that are that random (depending on how new the browser is, obviously) so the intention is to make it so your free'd object is replaced with an evil one that has a malicious virtual memory table and will jump somewhere in that heap (to a specific address which will work if you sprayed the heap correctly, and sometimes to one which is calculated with ASLR.)

If you get to an attacker controlled website, it shouldn't be that hard to pull off most of the time, though definitely not deterministic.

(Man, remind me to check that this isn't all horribly wrong after defcon...)

[pjc50]

There is an entire industry of exploit frameworks waiting for this sort of thing to be slotted in and then deployed on compromised ad network servers to download CryptoLocker or similar for-profit malware. Things can go bad very quickly.