DZ
DefZone.Net

Kien thuc cong nghe & giai tri

Wiki Article

Tavis Ormandy

Nguồn dữ liệu từ Wikipedia, hiển thị bởi DefZone.Net

Xem trên WikipediaBài ngẫu nhiên khác

Tavis Ormandy
OccupationHacker
EmployerGoogle
Websitegithub.com/taviso

Tavis Ormandy is an English computer security white hat hacker. Until October 10, 2025[1], he was employed by Google and was formerly part of Google's Project Zero team.[2]

Notable discoveries

[edit]

Ormandy is credited with discovering severe vulnerabilities in LibTIFF,[3] Sophos' antivirus software[4] and Microsoft Windows.[5] With Natalie Silvanovich he discovered a severe vulnerability in FireEye products in 2015.[6]

His findings with Sophos' products led him to write a 30-page paper entitled "Sophail: Applied attacks against Sophos Antivirus" in 2012, which concludes that the company was "working with good intentions" but is "ill-equipped to handle the output of one co-operative security researcher working in his spare time" and that its products shouldn't be used on high-value systems.[7]

He also created an exploit in 2014 to demonstrate how a vulnerability in glibc known since 2005 could be used to gain root access on an affected machine running a 32-bit version of Fedora.[8]

In 2016, he demonstrated multiple vulnerabilities in Trend Micro Antivirus on Windows related to the Password Manager,[9] and vulnerabilities in Symantec security products.

In February 2017, he found and reported a critical bug in Cloudflare's infrastructure leaking user-sensitive data along with requests affecting millions of websites around the world which has been referred to as Cloudbleed (in reference to the Heartbleed bug that Google co-discovered).[10]

On or around May 15, 2023, he found and reported a vulnerability called Zenbleed (CVE-2023-20593) affecting all Zen 2 class processors.

In September 2024, he was involved in discovering a microcode vulnerability affecting certain AMD Zen based processors.[11][12][13] (CVE-2024-56161)

References

[edit]
  1. ^ Ormandy, Tavis (10 October 2025). "A personal update... after nearly 20 years at Google, today is my last day!". Retrieved 14 November 2025.
  2. ^ Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired.com. Retrieved 4 January 2015.
  3. ^ Constantin, Lucian (30 December 2014). "Hey, devs! Those software libraries aren't always safe to use". Computerworld. Retrieved 5 January 2015.
  4. ^ Greenberg, Andy (4 August 2011). "Google Researcher Exposes Flaws In Sophos Software, Slams Antivirus Industry". Forbes. Retrieved 15 August 2016.
  5. ^ Keizer, Gregg (23 May 2013). "Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day". Computerworld. Retrieved 5 January 2015.
  6. ^ Ormandy, Tavis (15 December 2015). "Project Zero: FireEye Exploitation: Project Zero's Vulnerability of the Beast". Project Zero. Retrieved 11 May 2017.
  7. ^ Tung, Liam (6 November 2012). "Google security researcher: Keep Sophos away from high value systems". CSO Online. Retrieved 5 January 2015.
  8. ^ Evans, Chris (25 August 2014). "Project Zero: The poisoned NUL byte, 2014 edition". Project Zero. Retrieved 11 May 2017.
  9. ^ Goodin, Dan (11 January 2016). "Google security researcher excoriates TrendMicro for critical AV defects". Ars Technica. Retrieved 4 February 2016.
  10. ^ "Incident report on memory leak caused by Cloudflare parser bug". Retrieved 23 February 2017.
  11. ^ "AMD: Microcode Signature Verification Vulnerability". GitHub. Retrieved 27 February 2025.
  12. ^ "AMD SEV Confidential Computing Vulnerability".
  13. ^ Paganini, Pierluigi (4 February 2025). "AMD fixed a flaw that allowed to load malicious microcode". Security Affairs. Retrieved 27 February 2025.
[edit]
Stub icon

This article on a computer specialist of the United Kingdom is a stub. You can help Wikipedia by adding missing information.