The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1. Adversarial Scenarios 2. Vulnerability Trends 3. Exploits in the Wild 4. Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40E04C Twitter # @malwareunicorn COMMUNITY 0x402023 JNE SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed group CVE-2021-28310 CVE-2021-1732 • Used for privilege escalation • Out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe) • Attacker grooms the heap

Documentation, Release 6.5.1 5.22 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.23 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.29 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.21 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.22 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.28 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.22 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

Documentation, Release 6.4.11 5.16 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.17 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.23 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.22 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

Documentation, Release 6.4.12 5.16 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.17 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.23 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

Documentation, Release 6.4.6 5.12 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.13 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.19 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.23 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.24 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.30 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a