In his latest blog, ZDI researcher Piotr Bazydło covers a pre-auth Arbitrary File Deletion vulnerability he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to a local privilege escalation on domain-joined Windows machines. Read the details at https://www.zerodayinitiative.com/blog/2024/12/11/solarwinds-access-rights-manager-one-vulnerability-to-lpe-them-all

@mttaggart "Security is a Specialization" <- this 1000x

It's time for everybody's favorite: unsolicited advice!

In which I discuss the reality of the cybersecurity jobs market, and what you really should be doing to improve your chances.

https://taggart-tech.com/20241212-2025-jobs-guide/

@mainframed767 @racingmars "business-y sounding report" -> I'm sorry but I'm triggered by this... "business-y" content is wasting my time, and IMO if someone prefers that instead of an on-point, although stylisticly imperfect report, it's the reader's problem not the writer's.

Citrix Denial of Service: Analysis of CVE-2024-8534 https://www.assetnote.io/resources/research/citrix-denial-of-service-analysis-of-cve-2024-8534

@cR0w Yeah I wonder if anyone tracks the frequency and impact of its bugs when doing supply chain analysis...

Apache incubator projects have always been gold mines, but Solr stands out based on the traffic it generates on Full-Disclosure...

Fixed the OpenGraph image on Shazzer it was bugging me. Then did a normalization vector to test it!

https://shazzer.co.uk/vectors/675add23a8574986b36cc848

Forget PSEXEC: DCOM Upload & Execute Backdoor
https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor

#frombsky

I can't seem to get WebView2 working in a Visual Studio extension, so I'm dropping that effort for now.

If anyone knows how to do this, or actually wants Function-Graph-Overview in Visual Studio, let me know!

The number one skill required for learning any complex system is patience.

— Kelsey Hightower

#complexity

🚨 We are calling on all EU-based Mozillians to help us monitor Apple’s new browser choice screens.

Let’s hold Big Tech to account!

Anyone in the EU with an Apple device can join in this effort.

Learn more: http://mzl.la/49xJpvP

[RSS] Linux vDSO & VVAR - CVE-2023-23586 analysis

https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html

[RSS] X41 Reviewed Mullvad VPN

https://x41-dsec.de/news/2024/12/11/mullvad/

[RSS] Far From Random: Three Mistakes From Dart/Flutter's Weak PRNG

https://www.zellic.io/blog/proton-dart-flutter-csprng-prng

Incredible essay about the importance and challenges of digital archival by Maxwell Neely-Cohen, as well as the various imperfect strategies to achieve “century-scale” digital archives.

https://lil.law.harvard.edu/century-scale-storage/

"We picked a century scale because most physical objects can survive 100 years in good care. It is attainable, and yet we selected it because the design of mainstream digital storage mediums are nowhere close to even considering this mark."

1/

#archival

@cR0w I see you are a man of culture as well!

[RSS] Cleo Harmony, VLTrader, and LexiCom: CVE-2024-50623, RCE via arbitrary file write

https://labs.watchtowr.com/cleo-cve-2024-50623/

[RSS] CodeQL zero to hero part 4: Gradio framework case study

https://github.blog/security/vulnerability-research/codeql-zero-to-hero-part-4-gradio-framework-case-study/

New vulnerability report from Talos:

Adobe Acrobat Reader Font gvar per-tuple-variation-table Out-Of-Bounds Read Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2064

CVE-2024-49532