Palo Alto Networks security advisory: PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover
See parent toot above for Horizon3 vulnerability details.

• CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS command injection vulnerability
• CVE-2024-9464 (9.3 critical) Palo Alto Networks Expedition OS command injection vulnerability
• CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL injection vulnerability
• CVE-2024-9466 (8.2 high) Palo Alto Networks Expedition cleartext storage of sensitive information vulnerability
• CVE-2024-9467 (7.0 high) Palo Alto Networks Expedition reflected XSS vulnerability

Palo Alto Networks is not aware of any malicious exploitation of these issues.

#paloaltonetworks #expedition #vulnerability #CVE

New Project Zero issue:

dav1d integer overflow leading to out-of-bounds write

https://project-zero.issues.chromium.org/issues/42451651

CVE-2024-1580

I want the same drugs Mozilla leadership is taking. They sound too good to be left out!!!! AAHAHHAHAHAHAHHAHAHA My head is spinning from so much bullshit newspeak ahahahhahahahahahahahaha

"How do we ensure that privacy is not a privilege of the few but a fundamental right available to everyone? These are significant and enduring questions that have no single answer. But, for right now on the internet of today, a big part of the answer is online advertising."

Exploiting AMD atdcm64a.sys arbitrary pointer dereference - Part 3 https://security.humanativaspa.it/exploiting-amd-atdcm64a-sys-arbitrary-pointer-dereference-part-3/

@froge oh its definetelly one or several of the PixieFail vulns. MSRC send notice out of the blue that they would credit us for CVE-2024-20659 but they did not say what it fixes.
The CVE they assigned is not one of 9 originally assigned to PixieFaul bugs 🤷‍♂️

https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html

This reads like RCE from the local broadcast domain to me but I am not in the MSRC hive mind so no idea why they call it "security feature bypass"
Perhaps UEFI is considered a security feature that can be bypassed?
🤔
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20659

@foone "Electro-mechanical doom" sounds like regular warfare

Yesterday's Nobel Prize, in "physics," can be questioned as grotesque. Today's from Chemistry - fully justified. We are waiting for literature and "peace". Although we may have to wait a little longer for the latter, and there has never been a peace Nobel for nuclear weapons.

@j_bertolotti I haven't seen the particular complaints you're referring to, but I do feel that an objectively harmful hype cycle seems to have influenced this decision while also feeding the same hype. I think this is a reason for head scratching for many, rather than questioning the significance of the discoveries.

This year #Physics #NobelPrize was given to Hopfield and Hinton for their work on neural networks and machine learning.

Currently a lot of Physicists scratching their heads and wondering how machine learning is Physics, but:
* Physicists have taken Nobel prizes in Medicine and Chemistry a lot over the years, so I don't think it is fair for us to complain.
* Hopfield networks and Bolzmann machines are probably the two most "Physics adjacent" architectures for a neural network.

Overall, unexpected but well deserved.

https://www.nobelprize.org/prizes/physics/2024/press-release/

Current temperature of #physics mastodon, twitter et al. ;-)

#curl bug-bounty stats

(Including 84,260 USD payouts and 15.4% being valid reports.)

https://daniel.haxx.se/blog/2024/10/09/curl-bug-bounty-stats/

[RSS] Letters reveal the quiet genius of Ada Lovelace #ALD24

https://blog.adafruit.com/2024/10/08/letters-reveal-the-quiet-genius-of-ada-lovelace-ald24-findingada/

[RSS] Barbie's Video Has Never Looked So Good

https://hackaday.com/2024/10/08/barbies-video-has-never-looked-so-good/

[RSS] Ivanti Connect Secure - Authenticated RCE via OpenSSL CRLF Injection (CVE-2024-37404)

https://blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/

New sensitive breach: "AI girlfriend" site Muah[.]ai had 1.9M email addresses breached last month. Data included AI prompts describing desired images, many sexual in nature and many describing child exploitation. 24% were already in @haveibeenpwned. More: https://www.404media.co/hacked-ai-girlfriend-data-shows-prompts-describing-child-sexual-abuse-2/

Ivanti warns of three more CSA zero-days exploited in attacks https://www.bleepingcomputer.com/news/security/ivanti-warns-of-three-more-csa-zero-days-exploited-in-attacks/

@molly0xfff @cpy @shadow @koen_hufkens Death metal band logos have high resistance against AI text recognition. And OCR. Oh, and human readers.

It's the spooky season, and #Microsoft and #Adobe have released their spookiest patches yet. Two bugs from Microsoft are under attack, and one looks strangely familiar. @TheDustinChilds breaks down the release and points out some deployment priorities. https://www.zerodayinitiative.com/blog/2024/10/8/the-october-2024-security-update-review