CISA: CISA Adds One Known Exploited Vulnerability to Catalog
Hot off the press! CISA adds CVE-2024-28986 (9.8 critical, disclosed 13 August 2024 by SolarWinds) SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability to the Known Exploited Vulnerabilities Catalog.

Note: There was no indication that CVE-2024-28986 was being exploited in the wild in the security advisory.

cc: @campuscodi h/t: @hrbrmstr

#CVE_2024_28986 #SolarWinds #vulnerability #eitw #activeexploitation #cisa #kev #KnownExploitedVulnerabilitiesCatalog

@joxean We have a saying around here: "you are so dumb you bend space" (no offense @rabbit :))

NEW: Every Pixel phone released since 2017 has a hidden Verizon app, "Showcase.apk," with deep system access that has an unpatched flaw. Google's response to the vulnerability caused Palantir to ditch Android altogether. @lhn has the scoop: https://www.wired.com/story/google-android-pixel-showcase-vulnerability/

@gsuberland @rabbit

@briankrebs
From the days when we were all burning optical media: DVDisaster

The idea: When you burn a disc that isn't completely full, any unused sectors are truly wasted. This app uses them for extra ECC data. Here are screenshots from when I gouged a CD with a key, and then subsequently read the data from the scratched disc, without a single bit lost.

It's a nice example of a simple app that solves a real-world problem.

@briankrebs tmux!

the most recent hackerone issue was filed because the user googled "[another project] bug bounty program", clicked the first link (to #curl's bug-bounty) and entered an issue about a completely different project...

Long thread ahead about training a classifier of "good/batch matches" for #Diaphora.

So, the whole idea that I have been working on for quite some time already to try to, somehow, improve matching in Diaphora is the following: Train a model to better determine if a pair of functions in two binaries (ie, a match between a function A in binary X, and function B in binary Y) is correct or not.

Did someone already create a tarpit that targets the AI scraping bots?

Who volunteer to dress up as standing lamps for AlligatorCon?

#JeSuisLampshade

Just learned that in French cybersecurity threats are called "cybermenace" and I will only be using this term from now on

@Kensan @cynicalsecurity The outcome is obviously that, what I can't wrap my head around is what this outfit was supposed to represent? I mean there must have been an idea similar to "dress up girls in latex because geeks like Matrix" or similar, but I just can't imagine what led to *this*.

Mixing watering hole attacks with history leak via CSS https://adepts.of0x.cc/css-history-leaks/

@cynicalsecurity It was probably this: https://infosec.exchange/@screaminggoat/112958220558346758

My tolerance level is pretty high, but IMO this is just straight up offensive without *any* substance.

I’m in shock

So the Department of Energy emailed me

https://daniel.haxx.se/blog/2024/08/14/so-the-department-of-energy-emailed-me/

The folks from Xiaomi didn't pick up their Pwnie for Lamest Vendor Response, so we're keeping it safe for them until they decide to come accept it.

Ivanti security advisories: August Security Update
Today, fixes have been released for the following solutions: Ivanti Neurons for ITSM, Ivanti Avalanche and Ivanti Virtual Traffic Manager (vTM).

• Ivanti Neurons for ITSM
• Ivanti Avalanche 6.4.4
• Ivanti Virtual Traffic Manager (vTM )

The concerning CVEs:

• CVE-2024-7569 (9.6 critical) An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM
• CVE-2024-7593 (9.8 critical) authentication bypass in Ivanti vTM (PUBLICLY DISCLOSED)
  • "We are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available"

"We have no evidence of these vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti products or solutions."

See related Bleeping Computer reporting: Ivanti warns of critical vTM auth bypass with public exploit

#CVE #PatchTuesday #Ivanti #vulnerability

[RSS] LibRaw: Out of bounds write in LibRaw::sonyParseSR2

https://github.com/google/security-research/security/advisories/GHSA-724w-62fm-c94c

[RSS] Building a NES Emulator - Sprite Rendering

https://old.reddit.com/r/ReverseEngineering/comments/1es6o3u/building_a_nes_emulator_sprite_rendering/