Exploiting CVE-2024-26581: use-after-free in Linux kernel nftables subsystem

https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md

#Linux #cybersecurity

neat: https://bug.directory/ from @thegrugq mailing list

[RSS] Eaton: Hardcoded SSH root password in XC-303 firmware

https://github.com/google/security-research/security/advisories/GHSA-xf7j-4x67-6h93

[RSS] Revisiting Neural Program Smoothing for Fuzzing (2023.09.28)

We find that the original performance claims for NPS fuzzers do not hold; a gap we relate to fundamental, implementation, and experimental limitations of prior works." #fuzzing

https://arxiv.org/pdf/2309.16618

[RSS] Look Ma, No Input Samples! Mining Input Grammars from Code with Symbolic Parsing

https://cispa.de/en/research/publications/79453-look-ma-no-input-samples-mining-input-grammars-from-code-with-symbolic-parsing

[RSS] Copy-and-Patch Compilation: A fast compilation algorithm for high-level languages and bytecode

https://arxiv.org/abs/2011.13127

The delayed import-table phantomDLL opportunities

https://hexacorn.com/blog/2024/09/14/the-delayed-import-table-phantomdll-opportunities/

#failedresearch

I've implemented Conway's Game Of Life, in Conway's Fractran, in 416 fractions.
https://paste.sr.ht/~rabbits/046a86f42b74789fd5ea08657d253287b3847ffc

@bascule No one? https://www.youtube.com/watch?v=6UPniOAMx94

OpenAI’s ‘$8.5 Billion Bills’ Report Sparks Bankruptcy Speculation

https://www.asiafinancial.com/openais-8-5-billion-bills-spark-bankruptcy-speculation

After a decade(?) without GReader I gave in and started using a server-based #RSS solution, primarily to sync between my devices.

#FreshRSS works pretty well so far: I use newsboat as client, and can even use the built-in scraper to follow sites that don't publish syndication feeds! The downside is that I have to use XPath...

Looks like Newag isn't satisfied with how their civil lawsuit against us in Warsaw is going - because they just filed another one, this time in Gdańsk, and from another corporate entity they manage. And to add to the pile of arbitrary accusations, this time it's about unfair competition (again) and violation of their corporate personality rights (slander?).

[RSS] Binary Ninja Ultimate

https://binary.ninja/2024/09/13/ultimate.html

[RSS] Ghost in the PPL Part 3: LSASS Memory Dump

https://itm4n.github.io/ghost-in-the-ppl-part-3/

Microsoft Security Response Center (MSRC) corrected CVE-2024-43461 (8.8 high) Windows MSHTML Platform Spoofing Vulnerability, marking it as both exploited and publicly disclosed based on evidence of exploitation from ZDI Hunting Team (see parent toot). This is the fifth zero day of September 2024 Patch Tuesday!
cc: @TheDustinChilds @campuscodi @briankrebs @todb @goatyell @ntkramer @hrbrmstr

#CVE_2024_43461 #eitw #activeexploitation #vulnerability #microsoft #msrc #zeroday #cve

Google Security Blog: A new path for Kyber on the web

• Chrome 131 will switch from supporting Kyber post-quantum algorithm to Module Lattice Key Encapsulation Mechanism (ML-KEM).
• Chrome will not support Kyber and ML-KEM at the same time.
• Chrome will offer a key share prediction for hybrid ML-KEM (codepoint 0x11EC)
• The PostQuantumKeyAgreementEnabled flag and enterprise policy will apply to both Kyber and ML-KEM
• Chrome will no longer support hybrid Kyber (codepoint 0x6399)

#postquantum #chrome #kyber #mlkem #security #infosec #cybersecurity

@fesshole and if your team is incompetent and takes 2x time to produce 2x buggy code, you get 4x the money because in agile invoicing by time is the norm. Brilliant idea for a business actually!

TIL about Nexus STC (love the #wh40k reference!):

https://www.reddit.com/r/scihub/comments/12detqs/standard_template_construct_store_and_search_the/

#ShadowLibrary

My response when people ask me about the state of computer security:
(Modified from https://xkcd.com/2030/)

iFixit (and AliExpress) rocks!

#RightToRepair