"I can confirm that this bug did not exist before and was last introduced because the devs forgot why there was a regex there to begin with. Ortega also confirms us that the exploitation of this issue requires chaining a couple of vulnerabilities found by two other security researchers from Argentina, Ivan and Juliano.
However we are tracking a heap corruption issue, and it's very likely than the javascript execution could lead to native code execution with additional research." Ortega told The Hacker News. "For the time being, we can only confirm the execution of javascript code. Although technical details of the vulnerability have not been revealed as of now, the issue appears to be a remote code execution vulnerability in Signal or at least something very close to persistent cross-site scripting (XSS) which eventually could allow attackers to inject malicious code onto targeted Windows and Linux systems.
0 kommentar(er)
