Citrix security advisory: Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890
Happy #PatchTuesday from Citrix.

• CVE-2024-7889 (CVSSv4: 7.0 high) LPE
• CVE-2024-7890 (CVSSv4: 5.4 medium) LPE

Fixed in Citrix Workspace app for Windows 2405 and later versions, Citrix Workspace app for Windows 2402 CU1 LTSR and later versions. No mention of exploitation.

#citrix #vulnerability #cve #citrixworkspace

Ivanti security advisory: September 2024 Security Update
Happy #PatchTuesday from Ivanti. There are some serious vulnerabilities. I want to emphasize that Ivanti stated they "have no evidence of these vulnerabilities being exploited in the wild." See the following advisories:

• Security Advisory EPM September 2024 for EPM 2024 and EPM 2022
• Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
• Security Advisory Ivanti Workspace Control (IWC)

The big ones:

• CVE-2024-29847 (perfect 10.0 critical 🥳 cc: @cR0w) deserialization in the agent portal of Ivanti EPM before 2022 SU6/September 2024 update allows unauth RCE
• CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34783, CVE-2024-34785: unspecified SQL injection in Ivanti EPM before 2022 SU6/September 2024 update allow remote authenticated attacker with admin privileges to RCE

#ivanti #vulnerability #cve #epm #iwc #csa

It is shocking that after moving from Google workspace to Proton as the back office for our professional email adresses etc, all the major Dutch institutions are blocking us as spam. All our contacts have to whitelist us individually. So I think we are forced to go back to Google, where we had this problem occasionally but not as massively as now. It seems the reason is that Microsoft, used by almost all institutions in NL, simply blocks all Proton mail .😈 ( DNS=OK configured)

I would like to impress upon product managers that a code security review does not consist of me sitting down with the files in alphabetical order and reading each and every line exactly once in order and checking off whether it is or isn’t secure

This widely shared infographic uses a trick to make its message appear much stronger than it actually is. It seems to show a strong correlation between energy consumption and the wealth of a country. By using a logarithmic scale, the correlation appears much stronger than it actually is. I covered this before in articles, and now have also uploaded a short video ⚡💸🎥 https://www.youtube.com/watch?v=2xZ6CihdKu0 🧵

@mcc (In short, as "AI summaries" corrupt more and more material, I think we're going to end up seeing more and more arguments where people are not reading the article, but instead are just the broken AI paraphrase, and starting fights based on what the LLM got wrong.)

@mcc This, this, this. Whether or not LLMs "work" (they don't), whether or not they can be ethically trained (they can't), whether or not they can be reduced to an energy and CPU scale that's reasonable to run locally (they can't), LLMs still fundamentally invert the relationship we have with written language.

I have one contact from a Mozilla dev and a detail-free tracking issue to work from here. I can't know how this subject is being discussed within Mozilla and you should be clearly aware I'm speculating. But what I see here is, they view "summarization" as a component of the "AI chatbot" model which they can tear off and move into a local model, thus "solving" the privacy/safety problems.

Which alarms the heck out of me, as the other issues— licensing, environmental impact, and
➡️ lying ⬅️
remain.

Here is how I interpret what I see here. Mozilla, or the people within Mozilla driving the "AI chatbot" feature, view the "labs" chatbot feature as only step one of a larger plan. Their goal is to get people used to interacting with "AI" through the Mozilla sidebar, and once they're used to that, they want to encourage people to switch out OpenAI or Bing in this sidebar for Mozilla's AI (some part of which might be running locally).

In other words, Mozilla wants to be the next OpenAI.

There is a known issue in the latest stable 4.1.5902 we wanted to make folks aware of. If you save a bndb while debugging, the database can get into an improper state and it may appear to lose user changes. The issue is resolved in the latest dev builds.

For those who are using the latest stable, you can either switch to dev or avoid saving during debugging (saving after debugging is unaffected). Impacted users can contact support (https://binary.ninja/support/) or see: https://github.com/Vector35/debugger/issues/612

@Foxboron reminds me of this (now deleted) github profile bragging about writing kernel bytecode interpreters in C for... crowdstrike.