@drwhax @0xCDE you guys see work done at construction sites? (over here they usually just raise some fences, get the bosses cars parked then nothing happens for weeks)

[oss-security] "the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available"

https://www.openwall.com/lists/oss-security/2025/06/16/6

CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170

CVE-2025-6021 looks like the most severe (integer overflow in xmlBuildQName())

Off-By-One Conference Day 1&2 videos, without stupid redirectors:

https://www.youtube.com/playlist?list=PLiIDIO1Gp6V9t5jA1WnTVAfHNPPR9OhSx

https://www.youtube.com/playlist?list=PLiIDIO1Gp6V8_CMvMVabhyeABTW1yZrRZ

@joxean Or engineering archeology?

[RSS] Junk Code Engines for Polymorphic Malware

https://r0keb.github.io/posts/Junk-Code-Engines-for-Polymorphic-Malware/

The Day 2 videos are finally out 🥳🥳

https://bird.makeup/@offbyoneconf/1934401036460167285

The Day 1 videos are finally out 🥳🥳

https://bird.makeup/@offbyoneconf/1934400701767270409

this is a nice post on strace (I didn't know that strace had a --stack-traces option!) https://rrampage.github.io/2025/06/13/strace-tips-for-better-debugging/

I created a library from prefetch-tool so you can more easily experiment with side-channel #KASLR bypasses on Windows:

https://github.com/v-p-b/prefetch-lib

For dogfooding I exploited HEVD on Windows 11 24H2:

https://github.com/v-p-b/HEVD-prefetch

@jerry @cR0w You are joking but: https://threadreaderapp.com/thread/1932079435571671137.html

@erik @GossiTheDog I definitely wouldn't rule out time warps.

@GossiTheDog Friday the 13th's bugs hatched during the weekend I guess

[oss-security] CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract

https://www.openwall.com/lists/oss-security/2025/06/16/5

Exquisite bug!

This exploited-in-the-wild issue is an interesting twist on binary planting that we were working on a decade and a half ago. The DLL/EXE search order just keeps on giving (to attackers, that is). https://binaryplanting.com

It turned out that all our security-adopted Windows versions were affected by this issue, so we created micropatches for them all. These are already distributed and applied to all online affected systems.

We would like to thank security researchers Alexandra Gofman and David Driker with @_cpresearch_ for detecting the exploitation and publishing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053) https://blog.0patch.com/2025/06/micropatches-released-for-webdav-remote.html

Listen up Mastodonians, because this is important:

Right now we have a unique chance to rise up and hit back against Zuckerberg and Musk. Because italian filmmaker @_elena and her friends have made an OUTSTANDING short film, which explains why people should quit the fascist social networks and come join us in the fediverse.

Hit the fascists where it hurts — make this go viral by watching it and liking it on YouTube, then hit the share button and share it everywhere!

https://www.youtube.com/watch?v=YRJHIJy5Nno

Crypto: Sponsoring military parades for the Great Leader’s birthday

Just like Satoshi envisioned it.

@patcharcana @cR0w https://www.youtube.com/watch?v=mW9PvYYH9lA

#VibeCoding your MFA

New vulnerability report from Talos:

Asus Armoury Crate AsIO3.sys authorization bypass vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2150

CVE-2025-3464