JS in SVG strikes again. This time it's a forever-day in AngularJS.

https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915

https://www.herodevs.com/vulnerability-directory/cve-2025-0716

sev:MED 4.8 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '[🖼 ]' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.

This issue affects all versions of AngularJS.

Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

https://nvd.nist.gov/vuln/detail/CVE-2025-0716

The Israel National Cyber Directorate published a few advisories in Ribbon Apollo products ( networking gear ), including a hardcoded creds one.

https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing

NEW: A court in India has ordered the block Proton Mail across the whole country as part of a case where a local design firm received obscene emails.

As of this writing, Proton Mail is still working, based on our tests.

Story by @jagmeets13

https://techcrunch.com/2025/04/29/indian-court-orders-blocking-of-proton-mail/

Prosecutors have requested Alex Mashinsky, CEO of the collapsed Celsius cryptocurrency company, be sentenced to at least twenty years in prison for his "sustained, calculated campaign of deceit carried out over years, targeting ordinary people."

https://www.courtlistener.com/docket/67604619/144/united-states-v-mashinsky/

#Celsius #crypto #cryptocurrency

Significant event for many, many reasons. Especially the fact Sophie Wilson spoke at it considering what is going on in the UK right now. One of the world's most widely used chips wouldn't exist without her contribution.

https://www.theregister.com/2025/04/29/arm_40/

#bbcmicro #arm

Google published a blog post about 0days and the like. This jumped out at me:

Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success.

Stack canaries gained popularity in the Linux world in 2002. When did the Linux-based Ivanti ICS product get stack canaries, after years of ITW exploitation? 2025. That's right. They decided to wait TWENTY THREE YEARS before deciding to turn on a compile-time flag that would have prevented successful exploitation of April's CVE-2025-22457.

We all know that comparing the security disposition of companies/products based on CVE counts is both foolish and futile, but sometimes they make it easy for us. 😂

NEW: Last year, there were 34 recorded zero-days being exploited in real-world attacks, which were attributed to specific groups.

Of those, 23 were attributed to government-backed hackers, including spyware makers, which shows that governments are the main users of zero-days.

And while those got caught, Google's @_clem1 told us that spyware makers “are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.”

Full story:

https://techcrunch.com/2025/04/29/government-hackers-are-leading-the-use-of-attributed-zero-days-google-says/

21 million employee screenshots leaked in bossware breach blunder.

https://www.bitdefender.com/en-us/blog/hotforsecurity/21-million-employee-screenshots-leaked-in-bossware-breach-blunder

Proof-of-work challenges have become the current hotness for defeating AI scrapers. I think it’s great we have these and that they’re getting deployed to great effect. But I’ve also seen a lot of people claim the “AI scrapers” problem is now solved and I’m sorry to tell you this but no it’s not.

The reason it’s solved right now is because most of these scrapers don’t execute JavaScript. But with enough people deploying PoW proxies, the economics around that change enough to make it worthwhile for AI companies to do so. AI companies have more money than you. Yes it’ll cost them, but that cost is worth it to them because otherwise they don’t have a business.

(Also Anubis and other solutions default to only triggering if the User-Agent header contains Mozilla so guess what! It’ll soon need to be enabled regardless of the value of that header because it’s trivial to circumvent. Then the cost goes up for the operator too as more and more users get affected.)

The JS needed for the PoW stuff isn’t complicated. A small JS interpreter can handle that. What mostly remains is then the cost of the hash. Right now most things use SHA256, for which we have CPU extensions and AVX instructions to speed this up. Constantly increasing the PoW rounds doesn’t solve this. Eventually the experience degrades too much for real users, whereas servers literally don’t care. Nobody is sitting there waiting for the output to be rendered. All they want is to get the content to train on.

PoW proxies are a stopgap, and a very useful one. But a stopgap nonetheless. We’re buying ourselves time. But we’re going to need more than this. Including legislation that outlaws some of this shit entirely.

AI is a technology, but the root of the problem we’re facing is a societal and political one. We cannot ignore those aspects and exclude them from a solution.

All of the gear needed for #Pwn2Own Berlin is on its way. Next stop - Germany!

In 15 minutes Europe will hopefully launch its next climate satellite. The launch can however only be watched via YouTube since we apparently can’t do that ourselves and have to put our government info next to the antivax promo. https://www.esa.int/ESA_Multimedia/ESA_Web_TV

FYSA; #BinaryRefinery has switched from pefile to LIEF:
https://github.com/binref/refinery/pull/84
It shouldn't change anything, but if it does, please let me know.

I wrote a book on Linux Memory Management, published by @nostarch - it's a comprehensive 1300 page exploration of Linux 6.0's memory management code, depth-first, diving into the code and REALLY explaining how things work.

The idea is to avoid hand waving as much as possible and literally explore what the kernel _actually_ does.

It's full of diagrams and careful explanations of logic including a ton of stuff you just can't find anywhere else.

It's currently available in its entirety in draft form via early access when you pre-order.

It's available at https://nostarch.com/linux-memory-manager

:)

Thanks Forbes, I was confused what password spraying...sorry, "sparaying" attacks looked like. 🫠

Go hack more AI shit.

https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html