21 Zero-Days in FFmpeg | depthfirst
depthfirst.com
depthfirst's production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.

TLDR: depthfirst’s production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.

  • floquant@lemmy.dbzer0.comEnglish
    41·
    6 days ago

    Back in my day, zero-day meant exploited in the wild first, described publicly later. Or a disclosure without involving the target with an exploit attached.

    • Venator@lemmy.nzEnglish
      51·
      6 days ago

      I guess they must’ve published this without notifying ffmpeg first?

        • Venator@lemmy.nzEnglish
          3·
          6 days ago

          dunno, I didn’t open the article because the title claims they did and I don’t want to encourage that sort of behavior with engagement 😜

  • ZoteTheMighty@lemmy.zipEnglish
    2·
    5 days ago

    Unfortunately, these AI-discovered exploits seem like they’re here to stay. It’s just wishful thinking to imagine that we’d somehow fix all the bugs, so we’re just gonna have to live with endless day-zeroes forever.