Posts
Microsoft Browser Vulnerability Research
Cancel

In a previous blogpost it covered and mentioned automation and how it is great at finding memory issues. We also got some feedback to expand on fuzzing, so this post will cover how we came to devel...

Introduction Today, we’re excited to announce some improvements to our experimental security feature in Microsoft Edge 98. This is a continuation of our previous post. If you have not read it, we ...

I usually write about achievements in the form of a browser bug that I found interesting, in hopes that someone reading will find it useful in their own bug hunting pursuits. However, in this blog ...

Introduction The VR team is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community. Our hope is to build something that changes the mo...

In this post, we’ve invited David Erceg, one of the participants in the Edge bug bounty program, to talk about interesting bugs he found in Edge. By sharing this information, we hope more security...

Introduction When it comes to an application’s user interface (UI), one may care for the aesthetics, design consistency, simplicity, and clarity to ensure a good UI. However, an application like a...

After the research on Site Isolation, it became clear that the most common problem with extensions is calling chrome.tabs.create with a URL received from a content script message. While such a bug ...

Introduction Back in 2020 while reviewing Chromium code, I found issue 1068395, a Use-After-Free in Browser Process that can be used to escape the Chromium sandbox on Android Devices. This is an i...

In the previous blog post, I explained how Site Isolation and related security features help mitigate attacks such as UXSS and Spectre. However, security bugs in a renderer process are really commo...

Back in 2018, Chrome enabled Site Isolation by default, which mitigates attacks such as UXSS and Spectre. At the time, I was actively participating in the Chrome Vulnerability Reward Program, and I...