漏洞挖掘机哪家强?用漏洞数量和质量来说话。最近咱们对这几年来科恩的漏洞进行了个盘点:
据不完全统计,自2006年至今科恩一共发现主流操作系统,浏览器,应用软件高危漏洞152枚
在这些漏洞中,有13个用于咱们的8个Pwn2Own冠军项目
CVE-2007-0071获得了有黑客奥斯卡之称的Pwnie Award 2008最佳客户端漏洞提名,也是中国安全研究员历史上第一次登上Pwnie舞台
高危漏洞CVE-2010-3333影响当时所有微软版本的Office Word,影响巨大
CVE-2015-3636这个漏洞杀伤力巨大,能够root当时大多数的安卓手机,实用度满分。在Pwnie Award 2015评选中,CVE-2015-3636当之无愧成为当年最佳提权漏洞提名。这个漏洞的利用方法也获得了学术界的认可,科恩受邀在国际顶级安全会议Blackhat 2015,USENIX WOOT上分享了这些利用细节
CVE-2014-1303和CVE-2014-1314终结了Pwn2Own Mac OS X系统3年无人突破的历史,也是Pwn2Own历史上第一次远程攻破64位浏览器+操作系统。
CVE-2015-2435和CVE-2015-2455不仅帮助我们成功在Pwn2Own 2015上获取2个冠军,这也是PwnOwn历史上第一次有团队获得Windows Kernel System权限。这两个漏洞体现了科恩在字体研究方面取得的世界性突破,而在这之前很少有可利用的字体漏洞。其中CVE-2015-2455获得了Pwnie Award 2015最佳提权漏洞提名
CVE-2016-1815显卡漏洞显示了科恩在Apple Graphics研究方面取得的突破,该漏洞及利用都是我们独创的新方法。具体细节我们将在今年6月在加拿大举行的RECon 2016大会上分享
从总体趋势上看, 这几年科恩的研究重点从PC转向移动端,在PC漏洞仍然高产的情况下,移动漏洞成果明显增多。
以下是不完全统计出的漏洞CVE列表:
Microsoft
CVE-2014-2819 (Pwn2Own 2014 Flash sandbox bypass on Windows 8.1)
Internet Explorer Elevation of Privilege Vulnerability
https://technet.microsoft.com/en-us/library/security/MS14-051
CVE-2015-2435 (Pwn2Own 2015 Flash sandbox bypass with System EoP on Windows 8.1)
TrueType Font Parsing Vulnerability
https://technet.microsoft.com/library/security/MS15-080
CVE-2015-2455 (Pwn2Own 2015 Reader sandbox bypass with System EoP on Windows 8.1 / Pwnie 2015 nomination)
TrueType Font Parsing Vulnerability
https://technet.microsoft.com/library/security/MS15-080
CVE-2016-0176 (Pwn2Own 2016 Edge sandbox bypass with System EoP on Windows 10
Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability
https://technet.microsoft.com/library/security/MS16-062
CVE-2010-3333
MICROSOFT WORD RTF FILE PARSING STACK BUFFER OVERFLOW VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx
CVE-2007-2931
MSN Messenger Video Conversation Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx
CVE-2008-1091
Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
CVE-2008-3471
Microsoft Office Excel BIFF File Format Parsing Stack Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-057.mspx
CVE-2008-4027
Microsoft Office RTF Consecutive Drawing Object Parsing Heap Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-084/
CVE-2008-4028
Microsoft Office RTF Drawing Object Heap Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2008-4837
Microsoft Office Word Document Table Property Stack Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2009-1130
Microsoft Office PowerPoint Notes Container Heap Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-017.mspx
CVE-2009-0563
Microsoft Word Document Stack Based Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx
CVE-2009-1530
Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-038/
CVE-2009-1531
Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-039/
CVE-2009-1918
Microsoft Internet Explorer getElementsByTagName Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-047/
CVE-2009-1133
Microsoft Remote Desktop Client Arbitrary Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-057/
CVE-2009-1920
Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-062/
CVE-2009-2502
MICROSOFT WINDOWS GDI+ TIFF FILE PARSING BUFFER OVERFLOW VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
CVE-2010-0244
Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-011/
CVE-2010-0491
MICROSOFT INTERNET EXPLORER ‘ONREADYSTATECHANGE’ USE AFTER FREE VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
CVE-2010-1900
Microsoft Office Word sprmCMajority Record Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-150/
CVE-2010-1901
MICROSOFT OFFICE RTF PARSING ENGINE MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=877
CVE-2010-1902
MICROSOFT WORD RTF FILE PARSING HEAP BUFFER OVERFLOW VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=876
CVE-2016-0193
Scripting Engine Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS16-052
CVE-2015-2383
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-065
CVE-2015-1753
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-056
CVE-2015-1689
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1691
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1718
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1657
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-032
CVE-2015-0056
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-018
CVE-2015-0039
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-009
CVE-2015-0066
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-009
CVE-2014-6375
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-080
CVE-2014-6339
Internet Explorer ASLR Bypass Vulnerability
https://technet.microsoft.com/library/security/MS14-065
CVE-2014-4130
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-056
CVE-2014-2773
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-035
CVE-2014-0267
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-010
Google/Android related bugs
CVE-2016-1646
Out-of-bounds read in V8
http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html
CVE-2010-2297
Table layout crash bug from wushi
https://code.google.com/p/chromium/issues/detail?id=42723
CVE-2010-4206
chrome_55000000!WebCore::FEBlend::apply Memory corruption
https://cod e.google.com/p/chromium/issues/detail?id=60688
CVE-2014-8299
MTK TOCTTOU memory corruption
http://2014.zeronights.org/assets/files/slides/racingwithdroids.pdf
CVE-2016-2443
Qualcomm MDP escalation of privilege
https://source.android.com/security/bulletin/2016-05-01.html
CVE-2016-0811
libmediaplayerservice infoleak
https://source.android.com/security/bulletin/2016-02-01.html
CVE-2015-6637
misc-sd escalation of privilege
https://source.android.com/security/bulletin/2016-01-01.html
CVE-2015-6612
libmedia escalation of privilege
https://source.android.com/security/bulletin/2015-11-01.html
CVE-2015-6620
libstagefright escalation of privilege
https://source.android.com/security/bulletin/2015-12-01.html
CVE-2015-6622
Android Native Frameworks Library infoleak
https://source.android.com/security/bulletin/2015-12-01.html
CVE-2014-9410
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-4324
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-4321
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-0976
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-0975
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2015-3854
Permission leak in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
CVE-2015-3855
Permission leak in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
CVE-2015-3856
Denial of service in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
Apple
CVE-2013-5228 (Mobile Pwn2Own 2013 iOS 7)
Apple iOS Safari DocumentOrderedMap Remote Code Execution Vulnerability
https://support.apple.com/en-us/HT202897
CVE-2014-1303 (Pwn2Own 2014 Safari on OS X)
Apple Safari Heap Buffer Overflow Remote Code Execution Vulnerability
https://support.apple.com/zh-cn/HT202941
CVE-2014-1314 (Pwn2Own 2014 OS X sandbox bypass)
Apple OS X WindowsServer Sandbox Escape Vulnerability
https://support.apple.com/en-us/HT202966
CVE-2016-1859 (Pwn2Own 2016 Tencent Security Team Shield Safari on OS X)
Multiple memory corruption issues were addressed through improved memory handling in WebKit
https://support.apple.com/en-us/HT206565
CVE-2016-1804 (Pwn2Own 2016 Tencent Security Team Shield sandbox bypass on OS X)
Multi-Touch memory corruption
https://support.apple.com/en-us/HT206567
CVE-2016-1857 (Pwn2Own 2016 Tencent Security Team Sniper Safari on OS X)
Multiple memory corruption issues were addressed through improved memory handling in WebKit
https://support.apple.com/en-us/HT206565
CVE-2016-1815 (Pwn2Own 2016 Tencent Security Team Sniper sandbox bypass on OS X)
IOAcceleratorFamily memory corruption
https://support.apple.com/zh-cn/HT206567
CVE-2009-1690
MULTIPLE VENDOR WEBKIT ERROR HANDLING USE AFTER FREE VULNERABILITY
http://support.apple.com/kb/ht3613
CVE-2010-0047
Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-029/
CVE-2010-0053
Apple WebKit CSS run-in Attribute Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-030/
CVE-2010-0050
Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-031/
CVE-2010-0048
Apple Webkit Anchor Tag Mouse Click Event Dispatch Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-146/
CVE-2010-0049
Apple WebKit RTL LineBox Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-152/
CVE-2010-1119
Apple Webkit Attribute Child Removal Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-091/
CVE-2010-1392
Apple Webkit Button First-Letter Style Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-154/
CVE-2010-1396
Apple Webkit Option Element ContentEditable Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-092/
CVE-2010-1397
Apple Webkit DOCUMENT_POSITION_DISCONNECTED Attribute Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-095/
CVE-2010-1398
Apple Webkit ContentEditable moveParagraphs Uninitialized Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-097/
CVE-2010-1399
Apple Webkit SelectionController via Marquee Event Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-094/
CVE-2010-1400
MULTIPLE VENDOR WEBKIT HTML CAPTION USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=870
CVE-2010-1401
Apple Webkit First-Letter Pseudo-Element Style Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-098/
CVE-2010-1402
Apple Webkit ConditionEventListener Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-100/
CVE-2010-1403
Apple Webkit ProcessInstruction Target Error Message Insertion Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-099/
CVE-2010-1404
Apple Webkit Recursive Use Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-096/
CVE-2010-1665
aApple Webkit WebCore::FontFallbackList::determinePitch memory corruption
https://cod e.google.com/p/chromium/issues/detail?id=42294
CVE-2010-1749
Apple Webkit SVG RadialGradiant Run-in Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-101/
CVE-2010-1770
Apple Webkit CSS Charset Text Transformation Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-093/
CVE-2010-1786
Apple Webkit SVG ForeignObject Rendering Layout Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-141/
CVE-2010-1785
Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-142/
CVE-2010-1784
Apple Webkit Rendering Counter Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-144/
CVE-2010-1787
Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-153/
CVE-2010-3113
WebKit Security issue in SVGUseElement::buildShadowTree
http://www.securityfocus.com/b id/44199
CVE-2010-3114
WebKit Memory corruption with invalid text node cast for edit commands
https://cod e.google.com/p/chromium/issues/detail?id=49628
CVE-2010-1806
Apple Safari Webkit Runin Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-170/
CVE-2010-1822
Webkit Bad cast with svg:g element
https://cod e.google.com/p/chromium/issues/detail?id=55114
CVE-2010-1824
Apple Webkit Error Message Mutation Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-095/
CVE-2010-4198
Webkit Memory corruption in accessing floatptr of a textarea
https://cod e.google.com/p/chromium/issues/detail?id=55257
CVE-2010-3808
WebKit invalid cast issue exists in editing commands
http://support.apple.com/kb/HT4455
CVE-2010-3824
WebKit’s handling “use” elements in SVG documents
http://support.apple.com/kb/HT4455
CVE-2011-1118
WebKit Security:WebCore::HTMLTextAreaElement::updateValue
https://cod e.google.com/p/chromium/issues/detail?id=71388
CVE-2011-1117
WebKit Stale nodes in Document::recalcStyleSelector
https://cod e.google.com/p/chromium/issues/detail?id=71386
CVE-2011-1448
WebKit stale entries in gPercentHeightDescendantsMap
https://cod e.google.com/p/chromium/issues/detail?id=77130
CVE-2010-1823
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0233
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0234
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0237
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0240
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1117
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1449
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1453
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1462
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1797
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-3438
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-2825
Webkit fontface Invalid Font Family Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-054/
CVE-2011-2855
MULTIPLE VENDOR WEBKIT SVG ELEMENT USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=971
CVE-2011-3928
Webkit.org Webkit copyNonAttributeProperties Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-055/
CVE-2011-3035
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5400
CVE-2012-0634
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5191
CVE-2012-3683
APPLE SAFARI RENDERBOX INLINEBOX TYPE CONFUSION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=998
CVE-2013-0961
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5671
CVE-2012-1521
WebKit Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren
http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update. html
CVE-2014-1368
Multiple memory corruption issues existed in WebKit
https://support.apple.com/en-us/HT203007
CVE-2016-1824
IOHIDFamily memory corruption
https://support.apple.com/zh-cn/HT206567
CVE-2016-1860
Intel Graphics Driver memory corruption
https://support.apple.com/en-us/HT206567
CVE-2016-1716
AppleGraphicsPowerManagement memory corruption
https://support.apple.com/zh-cn/HT205731
CVE-2015-5768
AppleGraphicsControl memory corruption
https://support.apple.com/en-us/HT205031
CVE-2015-3676
AppleGraphicsControl memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3702
Intel Graphics Driver memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3705
IOAcceleratorFamily memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3706
IOAcceleratorFamily memory corruption
https://support.apple.com/en-us/HT204942
Adobe
CVE-2007-0071 (Pwnie 2008 nomination)
Integer overflow in Adobe Flash Player 9.0.115.0 and earlier
http://www.securityfocus.com/bid/28695
CVE-2015-6678 (Pwn2Own 2015 Flash)
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
CVE-2015-5108 (Pwn2Own 2015 Adobe Reader)
Security Updates Available for Adobe Acrobat and Reader
https://helpx.adobe.com/security/products/acrobat/apsb15-15.html
CVE-2014-0510 (Pwn2Own 2014 Flash)
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb14-14.html
CVE-2011-2135
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAY MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=935
CVE-2012-2034
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAYOBJECT LAYOUT MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=987
CVE-2015-5087
Security Updates Available for Adobe Acrobat and Reader
https://helpx.adobe.com/security/products/acrobat/apsb15-15.html
CVE-2015-3124
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
CVE-2015-3083
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-3082
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-3081
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-0351
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-3040
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-3041
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-0342
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
CVE-2015-0322
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Mozilla
CVE-2008-5021
Crash and remote code execution in nsFrameManager
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
CVE-2010-0183
Firefox Use-after-free error in nsCycleCollector::MarkRoots()
http://www.mozilla.org/security/announce/2010/mfsa2010-27.html
CVE-2010-3166
Firefox Heap buffer overflow in nsTextFrameUtils::TransformText
http://www.mozilla.org/security/announce/2010/mfsa2010-53.html
CVE-2010-3772
Firefox Crash and remote code execution using HTML tags inside a XUL tree
http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
CVE-2012-0472
Firefox Potential memory corruption during font rendering using cairo-dwrite
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
Linux
CVE-2015-3636 (PingPong Root / Pwnie 2015 nomination)
Use-after-free flaw in the Linux kernel’s ipv4 ping support.
http://www.ubuntu.com/usn/usn-2631-1/
CVE-2016-4794
Linux Kernel bpf related UAF
http://seclists.org/oss-sec/2016/q2/332
CVE-2015-7292
Amazon Fire Phone kernel stack based buffer overflow
http://marcograss.github.io/security/android/cve/2016/01/15/cve-2015-7292-amazon-kernel-stack-buffer-overflow.html
Misc
CVE-2006-7222
Media Player Classic FLI File Processing Buffer Overflow
http://www.securityfocus.com/bid/25437