Tavis Ormandy
@taviso
Followers
127,358
Following
644
Media
211
Statuses
9,092
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine. I'm also @taviso @social .sdf.org
California
Joined April 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Supreme Court
• 923358 Tweets
SCOTUS
• 452218 Tweets
Canada
• 372645 Tweets
POTUS
• 223656 Tweets
Constitution
• 211595 Tweets
Presidents
• 167425 Tweets
Klay
• 164430 Tweets
#uelkemdesığınmacıistemiyorum
• 153912 Tweets
#FRABEL
• 139516 Tweets
Ronaldo
• 124812 Tweets
Arap
• 122011 Tweets
Warriors
• 118450 Tweets
Belgium
• 109916 Tweets
#suriyeliler
• 99597 Tweets
سلمان
• 87090 Tweets
Dallas
• 83928 Tweets
Belgique
• 61837 Tweets
Seal Team 6
• 59171 Tweets
فرنسا
• 53573 Tweets
Saliba
• 47390 Tweets
King Biden
• 40372 Tweets
Lukaku
• 40332 Tweets
Bélgica
• 35089 Tweets
Kolo Muani
• 30208 Tweets
Deschamps
• 24601 Tweets
Doku
• 24216 Tweets
Rabiot
• 20475 Tweets
Josh Green
• 19476 Tweets
Oyuna Gelme Türkiyem
• 16675 Tweets
Leao
• 15726 Tweets
Demar
• 14851 Tweets
كانتي
• 11136 Tweets
#PORSVN
• 10409 Tweets
Cancelo
• 10230 Tweets
I'm publishing some 🔥 research today, a major design flaw in Windows that's existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation.
70
2K
4K
Am I the first person to pop a shell in notepad? 🤣 ....believe it or not, It's a real bug! 🐞
124
989
4K
I have something fun for you, I pulled the javascript interpreter out of Avast and ported it to Linux 😆
This runs unsandboxed as SYSTEM, any vulns are wormable pre-auth RCE on 400M endpoints ¯\_(ツ)_/¯
🐧
73
1K
3K
Surprise, I ported Windows Defender to Linux. 😎
99
2K
3K
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.
62
4K
3K
I think
@natashenka
and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥
99
2K
2K
Natalie bricked a room full of Apple engineer's phones when they asked her to help repro this! 😆Answer a FaceTime call from an attacker, and remote iOS kernel memory corruption....
31
653
2K
I have an evil plan...I'll send Microsoft a real win32k vulnerability, but the testcase triggers five other bugchecks they refuse to fix. 😈
36
440
2K
Hah, reviewing commits I notice that Jia Tan cannot spell the word "guarantee" correctly -- he misspelled it multiple times in commit messages. How can I grep every repo in github for the same spelling error? 😂
91
134
2K
Kernel memory corruption in Symantec/Norton antivirus, CVE-2016-2208 (more patches soon).
20
2K
2K
First big result from our new CPU research project, a use-after-free in AMD Zen2 processors! 🔥 AMD have just released updated microcode for affected systems, please update!
39
698
2K
All Blizzard games (World of Warcraft, Overwatch, Diablo III, Starcraft II, etc.) were vulnerable to DNS rebinding vulnerability allowing any website to run arbitrary code. 🎮
36
1K
2K
The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it...but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.
59
813
1K
Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.
63
735
1K
I bought a Seiko UC-2200 to play with, a wrist computer from 1984. It has a Microsoft BASIC interpreter and a tiny thermal printer. ⌚️🖥️
39
199
1K
Yikes, someone found a buffer overflow in GNU screen that's reachable via irssi... it's almost like the old days. The reporter says it was found in the wild, apparently used to DoS a minecraft server. 🤷♂️
31
351
1K
OK, here's a mystery for you. For over a decade, every July someone has posted this exact question to LKML. My theory is it's being sent by a ghost trapped in a PC speaker looking for help to pass on... 👻
41
325
1K
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability.
28
874
1K
Still blown away at how quickly
@msftsecurity
responded to protect users, can't give enough kudos. Amazing.
24
404
1K
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it (tl;dr just use chrome!) 😆
119
300
1K
Apparently I opened Pandora's box this morning, and a bunch of 0day fell out. This is gonna be a pain to clean up.
53
403
1K
New write-up on an Intel Ice Lake CPU vulnerability, we can effectively corrupt the RoB with redundant prefixes! 🔥 An updated microcode is available today for all affected products, cloud providers should patch ASAP.
13
370
1K
Remotely Exploitable Type Confusion in Windows 8, 10, Windows Server and more found by
@natashenka
and me
23
1K
1K
There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯
34
1K
1K
Today is the first day of my sabbatical! Don't worry, I'll be back, this is my first research break in a very long time. If you catch me on twitter, remind me to get back to not thinking about security 😁 Hopefully you will all have solved security by the time I get back. 😎
58
40
1K
This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code.
@halvarflake
noticed and got it fixed. Remote SYSTEM memory corruption 😨
mpengine contains unrar code forked from unrar prior to 5.0, introduces new bug while fixing others
1
61
133
19
581
1K
Funny bug, you can use xscreensaver to run tcpdump without root on debian. I don't really know what the solution is, it's not an easy one to solve.
15
306
988
Interesting thread about a reverse engineering IDA-like tool the NSA are apparently planning to open source soon. Fingers crossed this shakes up the RE ecosystem 🤞🏻
12
372
976
Well, fast forward to today...I was chatting with an old BBS sysop who had backups from back in the day, and unbelievably was able to recover a warez copy of the compiler... mind blown lol. 3/3
27
50
956
Well, thats a new one. Handwritten letter in my mailslot at work, someone in jail wanted to share their theories on integer factorization.
24
131
899
LOL, I spent weeks reversing the SymCrypt libraries, and then Microsoft open sources the code 🤣 Well, at least I can annotate my bug reports now... 🐞
9
72
866
Another unexpected discovery from the archives of a 90s warez BBS! 🏴☠️ Now a native Linux port of Lotus 1-2-3 is finally possible -- 32 years after it's release! 😆
36
240
840
Some cars are powered by gas, some cars are electric - my car is atomic ☢️ 😆
25
117
834
First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution.
14
485
820
I had a stupid idea for a game, "Katamascii" - like Katamari, but you roll around in your terminal collecting ascii art objects lol... I wasted my weekend on this 😂
23
115
810
Could someone from cloudflare security urgently contact me.
35
192
803
LastPass could leak the last used credentials due to a cache not being updated. This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!
lastpass: bypassing do_popupregister() leaks credentials from previous site
7
307
638
22
377
804
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way.
30
899
787
To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise.
46
313
796
Multiple Cisco Webex remote code execution vulnerabilities, and working exploit . Patch ASAP. 🐞
16
836
791
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
13
366
777
I was curious if the watermark detection in photoshop, printer drivers, etc, has any attack surface. Just got it working on Linux.
17
295
779
Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.
70
715
785
I'm interested in the history of Lotus 1-2-3, the old DOS spreadsheet. It had it's own extension language called LPL, but the compiler was thought to be lost. I've talked to some of the engineers who worked on it, but they didn't save things like SDKs. 1/3
20
102
753
Will confirms all X.509 validation broken, not just code signing. Okay, I'm back on the hype train, that's pretty bad.
16
330
747
LastPass have fixed the remote code execution bug I reported last week. 🚿🐛
17
347
732
Here's a repository of all the code and tools I developed to explore this attack surface.
13
239
733
I found this complete lot of DC hacker comics from 1992. Random nonsense snippets of UNIX and C, it's super fun. The 90s ads are great nostalgia.
20
152
725
Here are the details of the remote code execution vulnerability
@natashenka
and I found in Avast Antivirus earlier this year. An unsandboxed JavaScript interpreter was running untrusted JavaScript with SYSTEM privileges 🤦♂️
7
264
723
Wow - Avast decided to disable their JavaScript interpreter globally!
The vulnerability report they mention wasn't just me, it was a Project Zero collaboration with
@natashenka
🔥🔥🔥
I think this is the right decision, it was a *lot* of attack surface.
1/2-Last week, 3/4
@taviso
reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On 3/9 he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator.
6
49
118
9
170
709
I wrote a fuzzer for the unsandboxed x86 emulator in Windows Defender and found arbitrary read/write.
17
416
700
My weekend retro software hacking project was writing a display driver for Lotus 1-2-3, I actually got it working. You can now run 123 in a maximized xterm, I'm sure millions of you are now celebrating 😂
36
99
689
Enable the microphone remotely without interaction in Signal 😮
Signal: Incoming call can be connected without user interaction
6
220
388
10
337
682
The legend continues, the question was posted for the 15th consecutive year today! 👻
OK, here's a mystery for you. For over a decade, every July someone has posted this exact question to LKML. My theory is it's being sent by a ghost trapped in a PC speaker looking for help to pass on... 👻
41
325
1K
21
161
676
Three out of the four vulnerabilities in the latest iOS advisory were exploited in the wild, yikes.
8
255
644
This turned out to be a real vulnerability! 😮 The certificate was issued by
@digicert
, who are now required to revoke it. It was issued before mandatory CT, so didn't show up in . See for context.
Me: Threat-hunting rare DNS lookups in a corporate network.
Confluence:
30
312
1K
10
218
649
My weekend hacking project was trying to make a reddit NNTP gateway, so I can read discussions with slrn. It basically works, kinda pleased with it!
20
111
650
oh god, we made Microsoft the bugtraq moderators.
NEW: A researcher published proof-of-concept code to hack Microsoft Exchange servers on GitHub.
GitHub has now taken it down arguing it violated its "Acceptable Use Policies."
12
131
305
15
189
642
Hahaha, someone actually sent me a working Lotus 1-2-3 exploit 😂
19
77
632
This bug was arguably a language specification flaw in PostScript, it required a huge cleanup effort to fix up. There's a working exploit attached.
16
266
627
Vulnerability in Grammarly extension fixed (20M users), users should be auto-updated to a fixed version. Auth tokens were accessible to websites, allowing any website to login to your account and read all your docs.
15
334
621
The libarchive e8 vulnerability is actually really cool, but the ZDI advisory doesn't explain why it's so wild lol. For some reason, I know about RAR filters, so let me provide the background. 🧵 1/n
4
183
625
I got nerd sniped this weekend. I was playing the game Borderlands 3, this game has a huge variety of weapons, so part of the fun is finding new weird ones. Anyway, in one of the main areas there's this cool looking chest you can't open. 1/n
17
133
600
There is an undocumented opcode in the MsMpEng x86 emulator that can access internal emulator commands ¯\_(ツ)_/¯
17
405
591
Kaspersky identified SSL certificates by a 32bit fingerprint (!!!), making it trivial for MITM to create collisions.
19
564
588
Wrote a quick exploit for another LastPass vulnerability. Only affects version on (3.3.2), report on way. ¯\_(ツ)_/¯
16
397
587
Then it was Sunday evening, and I realized I had spent more time working on this than actually playing the game 🤣
29
11
596
Sigh, more critical remote mpengine vulns. Found on Linux then reproduced on Windows, full report on the way. This needs to be sandboxed.
10
357
579
Hey Windows admins, I found this Word doc that makes the Windows Search Indexer use 100% cpu forever lol. I'm curious what happens if you upload it to SharePoint....? 🙈
17
87
578
I wasted my afternoon writing an introduction to the Hiew hex editor😆
28
118
578
Everyone wants there to be simple answers in security, but sometimes there are no simple answers.
25
168
561
That's funny, because I have to deal with the mess that people like you ship to customers. Amateurish code like FireEye with trivial vulnerabilities, promising desperate customers that if they just give you enough money you'll be secure from the boogeyman.
@taviso
I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion. It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you.
10
2
34
34
125
560
.
@natashenka
Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥
25
388
553
Wow, this is amazing. Congratulations to the team, this is game changing.
📢 Windows Defender Antivirus can now run in a sandbox! 📢
💥 First complete AV solution to have this capability 💥
This is a direct result of feedback that we received from the security industry. We encourage you to try this feature & give us feedback.
25
452
839
11
180
550
Neat, I noticed a typo in a Twitter JavaScript library that broke message origin verification. Unexpectedly, they awarded me a $560 bounty, which I've donated to
@libertyhq
. Thanks
@twittersecurity
😀
8
32
538
Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of.
13
239
527
@jonathandata1
@thegrugq
@0xabad1dea
I guess It's just my opinion that disassembling dalvik bytecode as x86 code then drawing red lines on it is kinda a weird thing to do? 🤷♂️
10
49
538
More password manager bugs out today and more due out soon. I'm not going to look at more, the whole industry is crazy, you're on your own.
27
372
524
I wonder if Apple has enough log data to determine if anyone abused the FaceTime bug, and if so, if they'll inform the victims.
27
119
523
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.
Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation
17
339
668
9
369
516
Hah, random shower thought: I bet you could use Tektronix mode to add popup ads to README files. 😈
A wasted hour later...
10
78
523
Remember the unsandboxed javascript engine in Windows 10? Ian found an insane design flaw in the garbage collector.
6
344
511
I only write one or two a year - and I don't think the IRS really cares - so nobody ever gets to appreciate my cool TNG cheques. 🖖☄🚀
24
24
512
I'm still at Google, and still working on vulnerability research! I'm going to work on CPU security with Google ISE. We've already got 🔥🔥🔥 0day, reports are on the way 😎
15
42
496
The replies you get when you say the word "bitcoin" 😆
@taviso
@attritionorg
You don't know what I know and you're wrong, you also accept subpar security as a feature of a poorly implemented sandbox. If Google had a decent security sandbox you wouldn't have much to do, it's hard to find exploits that aren't there. Bad design then blames other apps.
16
0
0
22
71
484
OK, exploit working and full report sent to LastPass. Now time to put some pants on. 👖
15
62
481
I'm heading to Vegas for Blackhat, let me know if you want to chat! I've got some big announcements coming up, it's going to be 🔥
31
36
478
This was the recently patched SYSTEM RCE in Windows Defender! No big surprise, memory corruption in a complex unpacker (in this case, some old version of ASProtect from the 90s). Security products are plagued by problems like this.😣
mpengine: asprotect embedded runtime dll memory corruption
0
68
190
13
176
476
I found a major antivirus vendor doing s/strncpy/strcpy/g on what *was* safe opensource code.
#notjoking
http://t.co/mVVKVw7ZUd
21
562
441
This was interesting, a minor bug report from a fuzzer was fixed incorrectly leading to a far more serious bug that the fuzzer never found. I don't know what the lesson is, but ¯\_(ツ)_/¯ /cc
@hanno
gnutls: use after free vulnerability in verify_crt()
1
40
102
16
154
440