ASW #201 - IE11 Goes to Zero - podcast episode cover

ASW #201 - IE11 Goes to Zero

Jul 12, 20221 hr 4 min
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!

 

IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.

References:

- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf

- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v

- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx

- https://web.archive.org/web/20190507215514/https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw201

For the best experience, listen in Metacast app for iOS or Android
Open in Metacast
ASW #201 - IE11 Goes to Zero | Application Security Weekly (Audio) podcast - Listen or read transcript on Metacast