Will Harris

2.5K posts

Will Harris

Will Harris

@parityzero

Chrome Security gnome. I work on the sandbox and local data protection on Windows. @parityzero.99 on signal. Opinions here are my own!

Katılım Haziran 2011
802 Takip Edilen3.9K Takipçiler
Sabitlenmiş Tweet
Will Harris
Will Harris@parityzero·
Try out the early alpha of Process Isolation in Chrome 138. chrome://flags/#enable-process-isolation-ui then chrome://settings/system for the switch. Read known issues issues.chromium.org/issues?q=hotli… and report bugs! Especially interested in App-Compat bugs.
English
0
6
24
14.9K
Will Harris
Will Harris@parityzero·
@0xcharlie The sooner we have the bug the sooner we are able to fix it for users. Breaking exploits with offset changes doesn't cause the bug to magically disappear or make users any safer.
English
1
1
5
225
Will Harris
Will Harris@parityzero·
@0xcharlie We already tried to avoid releasing Chrome updates in the days leading up to pwn2own just in case a benign offset change meant we didn't get a juicy bug. Prefer to get the bug than not. Harder to avoid now though with weekly updates...
English
1
1
17
506
Will Harris
Will Harris@parityzero·
@simplylurking2 Hmm, many techniques here might not work any more...? e.g. Secure Preferences now enabled on Enterprise and use App-Bound Encryption for hashes. Post what you find from your testing :)
English
1
0
1
26
wallfacer
wallfacer@simplylurking2·
this is by far the best blog ive seen on the subject and has some beautiful approaches: synacktiv.com/en/publication… gotta test what still works. pewpew
English
1
0
2
102
wallfacer
wallfacer@simplylurking2·
Chrome devs have been cooking while I wasnt looking github.com/chromium/chrom… This landed in January 2026 on v144? Between this and process isolation going into experimental, low hanging fruit tricks are going away. may actually need to LPE/inj for cookies. a casual once over.. 🧵
Will Harris@parityzero

Try out the early alpha of Process Isolation in Chrome 138. chrome://flags/#enable-process-isolation-ui then chrome://settings/system for the switch. Read known issues issues.chromium.org/issues?q=hotli… and report bugs! Especially interested in App-Compat bugs.

English
1
2
11
3.7K
Will Harris
Will Harris@parityzero·
@simplylurking2 Setting Chrome policy needs admin though doesn't it...? HKCU policy keys are ACLed?
English
1
0
1
46
wallfacer
wallfacer@simplylurking2·
#L327" target="_blank" rel="nofollow noopener">github.com/chromium/chrom… prevents --load-extension, CDP, and friends from going from the stub to an extension inside of one of the isolated procs. but you can still have ExtensionInstallForcelist if HKLM hasnt already set it, higher priority. (cont)
English
3
0
3
210
Will Harris
Will Harris@parityzero·
@5aelo seems like strong CFI should be possible - I suppose I am talking both forward and backward edge, and maybe CET or some hardware support? I think this seems more achievable than 'solving the JIT problem' but I dunno
English
0
0
0
51
Samuel Groß
Samuel Groß@5aelo·
@parityzero I guess I'm thinking of Apple's platforms. They e.g. use PAC for CFI and their JIT supports that. I'm not sure I'd consider it strong, but maybe the closest we have? Though I'm not sure I could clearly define what strong CFI even means, which I think is part of the problem...
English
1
0
0
139
Samuel Groß
Samuel Groß@5aelo·
Interesting talk coming up: offensivecon.org/speakers/2026/… I think there is sometimes a misconception that interpreters are somehow inherently more secure than JITs. Ultimately, it’s the optimizations added on top that matter. Both can get sufficiently complex and bug-dense (or not).
English
2
17
135
10.6K
Will Harris
Will Harris@parityzero·
@5aelo Why does building strong CFI also mean you can probably solve the JIT problem?
English
1
0
0
110
Samuel Groß
Samuel Groß@5aelo·
There’s a valid argument that going full jitless allows for strict W^X, which should bring some benefit. But without strong CFI, that is usually easily bypassed via code reuse attacks. And if you manage to build actually strong CFI, you can probably also solve the JIT problem.
English
2
2
24
5.7K
Will Harris retweetledi
Charlie Miller
Charlie Miller@0xcharlie·
pwn2own has always been a great datapoint for how hard it is to find vulns, what exploit mitigations are working, new exploitation techniques, and now how AI works on offensive security.
s1r1us (mohan)@S1r1u5_

this year's pwn2own isn't just interesting because there will be lots of entries with AI+human. it is also interesting because a) anthropic burned a ton of tokens on firefox, basically running claude in a loop until it found something for a month, probably exhausting whatever claude can one shot. b) if someone submits full chain without much use of ai, it tells you one shotting plateaus and these models are bit like fuzzers than seasoned security reseachers. c) even if they used an llm to find the bug, this tells us scaffolding/harnesss design, prompting, and the operator matters a lot.

English
3
12
81
13.2K
Will Harris retweetledi
Bobby Seagull MBE
Bobby Seagull MBE@Bobby_Seagull·
This young man Manchester Madgwick seems to know everything. What a mind. Bravo 👏🏻 #UniversityChallenge
Bobby Seagull MBE tweet media
English
35
13
375
20.5K
Will Harris
Will Harris@parityzero·
@WindowsCentral Make it so right clicking on a file in explorer on a modern 64-core theadripper 3995WX doesn't take 3 seconds to open the context menu.
English
2
0
1
1.4K
Windows Central
Windows Central@WindowsCentral·
🔎Preview: 9 new features coming to Windows 11 (March 2026) Windows 11’s March 2026 update is expected to ship with nine new features and changes, and it’s shaping up to be one of the more meaningful updates in a while. Microsoft is rolling out a mix of UI polish, smarter system behavior, and quality‑of‑life improvements that should make day‑to‑day use feel smoother. It’s not a full redesign, but it’s enough to make Windows 11 feel refreshed heading into spring. Curious which of the nine upgrades people think will actually matter once they land? (1/2)
Windows Central tweet media
English
30
24
230
32.1K
Will Harris retweetledi
Chris Wysopal
Chris Wysopal@WeldPond·
The window between vulnerability disclosure and real-world exploitation keeps shrinking. The Zero Day Clock visualizes how fast attackers are operationalizing new CVEs. What used to take months now often happens in days, or hours. The future needs to be Secure by Design. zerodayclock.com #AppSec #CyberSecurity
English
11
48
181
21.5K
Will Harris
Will Harris@parityzero·
@afneil On international flights with no first class cabin they sometimes don't even bother calling group 1 (BA Gold) and go straight to 2 (business class).
English
0
0
1
700
Andrew Neil
Andrew Neil@afneil·
Not huge. Guest list gets you access to Concorde Lounge in T5 Heathrow and Chelsea Lounge T8 JFK. But Group O status is meant to give you priority boarding ahead even of Group 1. But at least 50% of the time they don’t bother to call Group 0. Boarding BA is usually shambles despite all the emphasis on groups. You’d think a British airline, of all airlines, would know how organise an orderly queue! @British_Airways
Rupert@rupertbe

@afneil @British_Airways Is there a big difference between gold and guest list ?

English
60
15
513
164.1K
Will Harris
Will Harris@parityzero·
@xaitax I find it amusing that Copilot is using App-Bound Encryption - how about adding this support directly into the OS instead? Does this mean I work in AI Security now? :)
English
1
0
2
145
Alex
Alex@xaitax·
Remember my post about Edge's Copilot interfaces (IElevatorCopilot etc)? Dug deeper. Edge's Local State has TWO ABE keys: • app_bound_encrypted_key (cookies/passwords) • aster_app_bound_encrypted_key (???) Both decrypt via same IElevatorEdge IID. Different 32-byte master keys. "Aster" = Microsoft's Copilot codename. What does Aster encrypt? 🤔
English
2
0
1
442
Will Harris retweetledi
Alex
Alex@xaitax·
Interesting. Microsoft Edge now finally switched on App-bound encryption for their passwords. At least for me now on Version 144.0.3719.35. Last test on Version 142.0.3595.53 this wasn't the case.
English
0
1
4
598
Will Harris
Will Harris@parityzero·
@jrozner @dinodaizovi yes, DBSC means the attacker must maintain persistence on the device so increases the cost/risk of any attacks.
English
0
0
0
12
Joe Rozner
Joe Rozner@jrozner·
@parityzero @dinodaizovi My understanding is the cookie can still be used off device, you need to refresh it on device and be constantly pulling it. How frequently depends on the cookie lifetime. Is that incorrect? This breaks the infostealer selling creds. Like you said, it doesn’t solve persistance
English
1
0
0
37
Dino A. Dai Zovi
Dino A. Dai Zovi@dinodaizovi·
Nearly every modern device has a TPM2, Secure Enclave, or hardware-backed keystore. Sites could be issuing device-bound, long-term keys that are used to issue short-term session tokens instead of requiring a new login. We just need the web standards to drive this.
Mitchell Hashimoto@mitchellh

I just want to log in without being redirected 42 times or logged out every single day. I want to remain logged in on my device for at least months. We have machines that can mimic sentience and yet we can’t do log in for more than 24 hours. We’ve been played for fools.

English
2
2
14
2.5K
Will Harris
Will Harris@parityzero·
@jrozner @dinodaizovi ... you need something like application isolation or strong application secret binding (macOS has keychain, Windows has app-bound encryption). 2/2
English
1
0
0
68
Will Harris
Will Harris@parityzero·
@jrozner @dinodaizovi yes, exactly - so the cookie can be stolen but it can't be used off the device because of the need to present the short lived bearer token which is hardware bound. I don't think the goal of DBSC is to block an attacker with a persistent presence on the device. for that ... 1/2
English
1
0
1
76

Keşfet

@0xcharlie @simplylurking2 @5aelo @AnthropicAI @_decius_ @WindowsCentral @elonmusk @BarackObama