diff options
Diffstat (limited to 'en/security/overview')
-rw-r--r-- | en/security/overview/acknowledgements.html | 317 | ||||
-rw-r--r-- | en/security/overview/updates-resources.html | 10 |
2 files changed, 153 insertions, 174 deletions
diff --git a/en/security/overview/acknowledgements.html b/en/security/overview/acknowledgements.html index cb24c0bf..d63ad8f0 100644 --- a/en/security/overview/acknowledgements.html +++ b/en/security/overview/acknowledgements.html @@ -37,6 +37,68 @@ Rewards</a> program.</p> <p>In 2018, the security acknowledgements are listed by month. In prior years, acknowledgements were listed together.</p> +<h4 id="nov-2018">November</h4> + +<table> + <tr> + <th>Researchers</th> + <th>CVEs</th> + </tr> + <tr> + <td><a href="https://twitter.com/amarekano" class="external">Amar + Menezes</a> of <a href="https://labs.mwrinfosecurity.com/" + class="external">MWR Labs</a></td> + <td>CVE-2018-9524</td> + </tr> + <tr> + <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9569, CVE-2018-9570, CVE-2018-9573, CVE-2018-9576, + CVE-2018-9577</td> + </tr> + <tr> + <td>En He (<a href="https://twitter.com/@heeeeen4x" + class="external">@heeeeen4x</a>) and Bo Liu of MS509Team + (<a href="http://www.ms509.com" class="external">www.ms509.com</a>)</td> + <td>CVE-2018-9457</td> + </tr> + <tr> + <td><a href="https://github.com/michalbednarski" class="external">Michał + Bednarski</a></td> + <td>CVE-2018-9522, CVE-2018-9523</td> + </tr> + <tr> + <td>Niky1235 (<a href="https://twitter.com/jiych_guru" + class="external">@jiych_guru</a>)</td> + <td>CVE-2018-9347</td> + </tr> + <tr> + <td>Tamir Zahavi-Brunner (<a href="https://twitter.com/tamir_zb" + class="external">@tamir_zb</a>) + of Zimperium zLabs Team</td> + <td>CVE-2018-9539</td> + </tr> + <tr> + <td>Xiaobo Xiang of IIE; Gong Guang of Alpha Team, Qihoo 360 Technology Co. +Ltd.</td> + <td>CVE-2018-9571, CVE-2018-9572, CVE-2018-9574, CVE-2018-9575</td> + </tr> + <tr> + <td>Yongke Wang + (<a href="https://twitter.com/rudykewang" class="external">@Rudykewang</a>) + and Xiangqian Zhang + (<a href="https://twitter.com/h3rb0x" class="external">@h3rb0x</a>) of + <a href="https://xlab.tencent.com/en/" class="external">Tencent Security + Xuanwu Lab</a></td> + <td>CVE-2018-9540, CVE-2018-9541</td> + </tr> + <tr> + <td>Zinuo Han(<a href="http://weibo.com/ele7enxxh" + class="external">weibo.com/ele7enxxh</a>) + of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9527, CVE-2018-9544, CVE-2018-9545, CVE-2018-9578</td> + </tr> +</table> + <h4 id="oct-2018">October</h4> <table> @@ -144,8 +206,7 @@ Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.</td> <td>En He (<a href="https://twitter.com/@heeeeen4x" class="external">@heeeeen4x</a>) and Bo Liu of MS509Team - (<a href="http://www.ms509.com" class="external">ms509.com</a>) - </td> + (<a href="http://www.ms509.com" class="external">ms509.com</a>)</td> <td>CVE-2018-9475</td> </tr> <tr> @@ -202,8 +263,7 @@ Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.</td> <td>Zinuo Han (<a href="http://weibo.com/ele7enxxh" class="external">weibo.com/ele7enxxh</a>) of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.</td> - <td>CVE-2018-9471, CVE-2018-9474, CVE-2018-9483, CVE-2018-9484, CVE-2018-9486 - </td> + <td>CVE-2018-9471, CVE-2018-9474, CVE-2018-9483, CVE-2018-9484, CVE-2018-9486</td> </tr> </table> @@ -557,146 +617,102 @@ class="external">Mobile Security Research Team</a>, <th>CVEs</th> </tr> <tr> - <td>Billy Lau of Google - </td> - <td>CVE-2017-13305 - </td> + <td>Billy Lau of Google</td> + <td>CVE-2017-13305</td> </tr> <tr> <td><a href="http://weibo.com/csddl">Chong Wang</a> of Chengdu Security Response Center, Qihoo - 360 Technology Co. Ltd - </td> - <td>CVE-2017-13287 - </td> + 360 Technology Co. Ltd</td> + <td>CVE-2017-13287</td> </tr> <tr> <td><a href="http://weibo.com/csddl">Chong Wang</a> and <a href="http://weibo.com/ele7enxxh">Zinuo Han</a> of Chengdu Security Response Center, - Qihoo 360 Technology Co. Ltd - </td> - <td>CVE-2017-13289, CVE-2017-13286 - </td> + Qihoo 360 Technology Co. Ltd</td> + <td>CVE-2017-13289, CVE-2017-13286</td> </tr> <tr> - <td>Cusas @ Huawei L.O. Team - </td> - <td>CVE-2017-13279 - </td> + <td>Cusas @ Huawei L.O. Team</td> + <td>CVE-2017-13279</td> </tr> <tr> - <td>Daxing Guo of Tencent's Xuanwu Lab - </td> - <td>CVE-2017-13292, CVE-2017-13303 - </td> + <td>Daxing Guo of Tencent's Xuanwu Lab</td> + <td>CVE-2017-13292, CVE-2017-13303</td> </tr> <tr> <td>Dinesh Venkatesan (<a href="https://twitter.com/malwareresearch">@malwareresearch</a>) - of Symantec - </td> - <td>CVE-2017-13295 - </td> + of Symantec</td> + <td>CVE-2017-13295</td> </tr> <tr> - <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd - </td> - <td>CVE-2017-13276 - </td> + <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd</td> + <td>CVE-2017-13276</td> </tr> <tr> <td>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) and Bo Liu of - <a href="http://www.ms509.com">MS509Team</a> - </td> - <td>CVE-2017-13294 - </td> + <a href="http://www.ms509.com">MS509Team</a></td> + <td>CVE-2017-13294</td> </tr> <tr> - <td>Eric Leong (<a href="https://twitter.com/ericwleong">@ericwleong</a>) - </td> - <td>CVE-2017-13301 - </td> + <td>Eric Leong (<a href="https://twitter.com/ericwleong">@ericwleong</a>)</td> + <td>CVE-2017-13301</td> </tr> <tr> - <td>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2018-3596 - </td> + <td>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-3596</td> </tr> <tr> - <td>Haosheng Wang (<a href="https://twitter.com/gnehsoah">@gnehsoah</a>) - </td> - <td>CVE-2017-13280 - </td> + <td>Haosheng Wang (<a href="https://twitter.com/gnehsoah">@gnehsoah</a>)</td> + <td>CVE-2017-13280</td> </tr> <tr> - <td>Jean-Baptiste Cayrou (<a href="https://twitter.com/jbcayrou">@jbcayrou</a>) - </td> - <td>CVE-2017-13284 - </td> + <td>Jean-Baptiste Cayrou (<a href="https://twitter.com/jbcayrou">@jbcayrou</a>)</td> + <td>CVE-2017-13284</td> </tr> <tr> <td>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) and - Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd - </td> - <td>CVE-2017-13291, CVE-2017-13283, CVE-2017-13282, CVE-2017-13281, CVE-2017-13267 - </td> + Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd</td> + <td>CVE-2017-13291, CVE-2017-13283, CVE-2017-13282, CVE-2017-13281, CVE-2017-13267</td> </tr> <tr> - <td>Patrick Delvenne (<a href="https://twitter.com/wintzx">@wintzx</a>) of Orange Labs - </td> - <td>CVE-2018-3584 - </td> + <td>Patrick Delvenne (<a href="https://twitter.com/wintzx">@wintzx</a>) of Orange Labs</td> + <td>CVE-2018-3584</td> </tr> <tr> - <td>Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), Lenx Wei (韦韬) of Baidu X-Lab (百度安全实验室) - </td> - <td>CVE-2017-13306, CVE-2017-13290, CVE-2017-15837 - </td> + <td>Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), Lenx Wei (韦韬) of Baidu X-Lab (百度安全实验室)</td> + <td>CVE-2017-13306, CVE-2017-13290, CVE-2017-15837</td> </tr> <tr> - <td>Tencent Blade Team - </td> - <td>CVE-2017-15853 - </td> + <td>Tencent Blade Team</td> + <td>CVE-2017-15853</td> </tr> <tr> - <td>Vasily Vasiliev - </td> - <td>CVE-2017-13297 - </td> + <td>Vasily Vasiliev</td> + <td>CVE-2017-13297</td> </tr> <tr> - <td>Weichao Sun of Alibaba Inc (<a href="https://twitter.com/sunblate">@sunblate</a>) - </td> - <td>CVE-2017-13277 - </td> + <td>Weichao Sun of Alibaba Inc (<a href="https://twitter.com/sunblate">@sunblate</a>)</td> + <td>CVE-2017-13277</td> </tr> <tr> <td><a href="mailto:huahuaisadog@gmail.com">Yang Dai</a> and - <a href="http://weibo.com/panyu6325">Yu Pan</a> of Vulpecker Team, Qihoo 360 Technology Co. Ltd - </td> - <td>CVE-2017-13304 - </td> + <a href="http://weibo.com/panyu6325">Yu Pan</a> of Vulpecker Team, Qihoo 360 Technology Co. Ltd</td> + <td>CVE-2017-13304</td> </tr> <tr> <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) of IceSword Lab, - Qihoo 360 Technology Co. Ltd - </td> - <td>CVE-2017-8269, CVE-2017-13307, CVE-2018-5826 - </td> + Qihoo 360 Technology Co. Ltd</td> + <td>CVE-2017-8269, CVE-2017-13307, CVE-2018-5826</td> </tr> <tr> - <td>Zhongwen & Chao Dai @ Huawei L.O. Team - </td> - <td>CVE-2017-13274 - </td> + <td>Zhongwen & Chao Dai @ Huawei L.O. Team</td> + <td>CVE-2017-13274</td> </tr> <tr> <td><a href="http://weibo.com/ele7enxxh">Zinuo Han</a> of Chengdu Security Response Center, - Qihoo 360 Technology Co. Ltd - </td> + Qihoo 360 Technology Co. Ltd</td> <td>CVE-2017-13288, CVE-2017-13298, CVE-2017-13296, CVE-2017-13299, - CVE-2017-13275, CVE-2017-13285 - </td> + CVE-2017-13275, CVE-2017-13285</td> </tr> </table> @@ -816,119 +832,85 @@ Response Center of Qihoo 360 Technology Co. Ltd.</td> <tr> <td>Aaron Willey, autoprime (<a href="https://twitter.com/utoprime?lang=en">@utoprime</a>), and Tyler Montgomery -(<a href="https://twitter.com/tylerfixer">@tylerfixer</a>) of Team Codefire - </td> - <td>CVE-2017-13238 - </td> +(<a href="https://twitter.com/tylerfixer">@tylerfixer</a>) of Team Codefire</td> + <td>CVE-2017-13238</td> </tr> <tr> - <td>Cusas (华为公司的cusas) - </td> - <td>CVE-2017-13235 - </td> + <td>Cusas (华为公司的cusas)</td> + <td>CVE-2017-13235</td> </tr> <tr> <td>Elphet and Gong Guang of -Alpha Team, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2017-13229 - </td> +Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13229</td> </tr> <tr> <td>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) and Bo Liu -of <a href="http://www.ms509.com">MS509Team</a> - </td> - <td>CVE-2017-13242 - </td> +of <a href="http://www.ms509.com">MS509Team</a></td> + <td>CVE-2017-13242</td> </tr> <tr> - <td>Gal Beniamini of Google - </td> - <td>CVE-2017-13236 - </td> + <td>Gal Beniamini of Google</td> + <td>CVE-2017-13236</td> </tr> <tr> - <td>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2017-13245 - </td> + <td>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13245</td> </tr> <tr> <td>Hongli Han (<a href="https://twitter.com/HexB1n">@HexB1n</a>), <a href="mailto:shaodacheng2016@gmail.com">Dacheng Shao</a> and Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of -<a href="http://c0reteam.org">C0RE Team</a> - </td> - <td>CVE-2017-6258 - </td> +<a href="http://c0reteam.org">C0RE Team</a></td> + <td>CVE-2017-6258</td> </tr> <tr> <td>Hongli Han (<a href="https://twitter.com/HexB1n">@HexB1n</a>), Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of -<a href="http://c0reteam.org">C0RE Team</a> - </td> - <td>CVE-2017-17767, CVE-2017-6279 - </td> +<a href="http://c0reteam.org">C0RE Team</a></td> + <td>CVE-2017-17767, CVE-2017-6279</td> </tr> <tr> <td>Mingjian Zhou (周明建) (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of -<a href="http://c0reteam.org">C0RE Team</a> - </td> - <td>CVE-2017-13241, CVE-2017-13231 - </td> +<a href="http://c0reteam.org">C0RE Team</a></td> + <td>CVE-2017-13241, CVE-2017-13231</td> </tr> <tr> - <td>Nightwatch Cybersecurity Research - </td> - <td>CVE-2017-13243 - </td> + <td>Nightwatch Cybersecurity Research</td> + <td>CVE-2017-13243</td> </tr> <tr> <td><a href="mailto:jiych.guru@gmail.com">Niky1235</a> - (<a href="https://twitter.com/jiych_guru">@jiych_guru</a>) - </td> - <td>CVE-2017-13230, CVE-2017-13234 - </td> + (<a href="https://twitter.com/jiych_guru">@jiych_guru</a>)</td> + <td>CVE-2017-13230, CVE-2017-13234</td> </tr> <tr> - <td>Outware - </td> - <td>CVE-2017-13239 - </td> + <td>Outware</td> + <td>CVE-2017-13239</td> </tr> <tr> <td>Qidan He (<a href="https://twitter.com/flanker_hqd?lang=en">@flanker_hqd</a>) - of PDD Security Team - </td> - <td>CVE-2017-13246 - </td> + of PDD Security Team</td> + <td>CVE-2017-13246</td> </tr> <tr> - <td>Xiling Gong of Tencent Security Platform Department - </td> - <td>CVE-2017-15852 - </td> + <td>Xiling Gong of Tencent Security Platform Department</td> + <td>CVE-2017-15852</td> </tr> <tr> <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) of -IceSword Lab, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2017-13273 - </td> +IceSword Lab, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13273</td> </tr> <tr> - <td>ZhangBo of Tencent Security Platform Department - </td> - <td>CVE-2015-9016 - </td> + <td>ZhangBo of Tencent Security Platform Department</td> + <td>CVE-2015-9016</td> </tr> <tr> <td><a href="http://weibo.com/ele7enxxh">Zinuo Han</a> from Chengdu Security -Response Center of Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2017-13232 - </td> +Response Center of Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13232</td> </tr> </table> @@ -1351,8 +1333,7 @@ CVE-2017-0792, CVE-2017-0825, CVE-2017-6424</td> (<a href="https://twitter.com/HexB1n">@HexB1n</a>) of <a href="http://c0reteam.org/">C0RE Team</a></td> <td>CVE-2017-0384, CVE-2017-0385, CVE-2017-0731, CVE-2017-0739, - CVE-2017-13154, CVE-2017-6276 - </td> + CVE-2017-13154, CVE-2017-6276</td> </tr> <tr> <td>hujianfei of Qihoo360 Qex Team</td> @@ -1494,8 +1475,7 @@ CVE-2017-0666, CVE-2017-0681, CVE-2017-0684, CVE-2017-0731, CVE-2017-0737, CVE-2017-0739, CVE-2017-0765, CVE-2017-0768, CVE-2017-0769, CVE-2017-0779, CVE-2017-0801, CVE-2017-0812, CVE-2017-0815, CVE-2017-0816, CVE-2017-0836, CVE-2017-0837, CVE-2017-0840, CVE-2017-0857, CVE-2017-8080, CVE-2017-6276, -CVE-2017-13152, CVE-2017-13154, CVE-2017-13166, CVE-2017-13169, CVE-2017-14904 - </td> +CVE-2017-13152, CVE-2017-13154, CVE-2017-13166, CVE-2017-13169, CVE-2017-14904</td> </tr> <tr> <td>Monk Avel</td> @@ -1804,8 +1784,7 @@ CVE-2017-0801, CVE-2017-7368, CVE-2017-8264, CVE-2017-10661</td> <td><a href="mailto:huahuaisadog@gmail.com">Yang Dai</a> of Vulpecker Team, Qihoo 360 Technology Co. Ltd</td> <td>CVE-2017-0795, CVE-2017-0799, CVE-2017-0804, CVE-2017-0803, - CVE-2017-6262, CVE-2017-6263, CVE-2017-6280 - </td> + CVE-2017-6262, CVE-2017-6263, CVE-2017-6280</td> </tr> <tr> <td>Yang Song of Alibaba Mobile Security Group</td> @@ -1813,8 +1792,7 @@ Qihoo 360 Technology Co. Ltd</td> CVE-2017-0565, CVE-2017-0711, CVE-2017-0741, CVE-2017-0742, CVE-2017-0751, CVE-2017-0796, CVE-2017-0798, CVE-2017-0800, CVE-2017-0827, CVE-2017-0842, CVE-2017-0843, CVE-2017-0864, CVE-2017-11000, CVE-2017-11059, CVE-2017-9703, -CVE-2017-9708, CVE-2017-13170 - </td> +CVE-2017-9708, CVE-2017-13170</td> </tr> <tr> <td>Yanick Fratantonio (UC Santa Barbara, Shellphish Grill Team, EURECOM)</td> @@ -1860,8 +1838,7 @@ Lab</a></td> <td>Yu Pan of Vulpecker Team, Qihoo 360 Technology Co. Ltd</td> <td>CVE-2016-10282, CVE-2017-0517, CVE-2017-0532, CVE-2017-0615, CVE-2017-0618, CVE-2017-0625, CVE-2017-0795, CVE-2017-0799, CVE-2017-0804, -CVE-2017-0803, CVE-2017-6262, CVE-2017-6263, CVE-2017-6280 - </td> +CVE-2017-0803, CVE-2017-6262, CVE-2017-6263, CVE-2017-6280</td> </tr> <tr> <td><a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a> of <a diff --git a/en/security/overview/updates-resources.html b/en/security/overview/updates-resources.html index ddc053a4..d1aa9b61 100644 --- a/en/security/overview/updates-resources.html +++ b/en/security/overview/updates-resources.html @@ -225,10 +225,12 @@ remote. These include bugs that can be exploited only by an attacker who is physically near the target device, for example a bug that requires sending malformed Wi-Fi or Bluetooth packets.</p> -<p>Local attacks require the victim to install an app. For the purpose of severity -ratings, the Android security team also considers physical attack vectors as -local. These include bugs that can be exploited only by an attacker who has -physical access to the device, for example a bug in a lock screen or one that +<p>Local attacks require the victim to run an app, either by installing and running +an app or by consenting to run an +<a href="https://developer.android.com/topic/google-play-instant/">Instant App</a>. +For the purpose of severity ratings, the Android security team also considers physical +attack vectors as local. These include bugs that can be exploited only by an attacker +who has physical access to the device, for example a bug in a lock screen or one that requires plugging in a USB cable. The Android security team also considers NFC-based attacks as local.</p> |