The more I move to a thin-client model with my workstation (with projects/services moving to VM's) the more I see my dark future as an Emacs user.

TRAMP mode is pretty cool :/

@joxean I bet >10% of tourists have the exact same reasoning.

@touloutoumou You're doing God's work!

As a reminder, I'm uploading hundreds (yes) of Flash games unavailable until now to the internet archive:

https://archive.org/details/@touloutoumou

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)
https://blog.0patch.com/2025/02/analysis-of-flaw-in-microsofts-patch.html

@infosecdj Don't brag about being the Chosen One

https://youtu.be/fSxVN4csfTI?si=hzKmtkqJcsBzbmHv&t=21

I'm still looking for that brain activity sensor that someone used to make a propeller hat that spins faster when you think harder.

Re: CVE-2025-0108

Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?

If so, what is the best practice?

Microsoft: So you've disabled the advertisements for Microsoft products we put on the lock screen.

Me: Yes

Microsoft: And you've disabled the weather widget in the start bar.

Me: Yes.

Microsoft: So you don't want notices on the start screen OR weather.

Me: Correct

Microsoft: Well good news this is start screen AND weather. You never said you didn't want them TOGETHER.

Me: Can I disable it

Microsoft: Sure, if you can solve this Rubik's cube

[RSS] Hack That Broken Zipper!

https://hackaday.com/2025/02/09/hack-that-broken-zipper/

[RSS] Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)

https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

Full analysis

Congrats to the IOActive marketing team for moving their blog to a platform with no RSS :P

[RSS] The Key to COMpromise - Downloading a SYSTEM shell, Part 3

https://neodyme.io/en/blog/com_hijacking_3/

I don't understand how Windows 10 is discontinued yet Microsoft still finds ways to add new types of advertisements to it

@cR0w @silverwizard PR has to show their worth, I'm pretty sure this wasn't composed by the offensive team

@silverwizard @cR0w To be fair, they could've pushed a silent patch...

@schrotthaufen That would mean there is an unrelated problem in the signing process that would deserve a separate CVE/advisory.

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 133.0.6943.98/.99 for Windows, Mac and 133.0.6943.98 for Linux has 4 security fixes, all 4 were externally reported:

• CVE-2025-0995 (high) Use after free in V8
• CVE-2025-0996 (high) Inappropriate implementation in Browser UI
• CVE-2025-0997 (high) Use after free in Navigation
• CVE-2025-0998 (high) Out of bounds memory access in V8

No mention of exploitation.

#chrome #google #cve #vulnerability #infosec #cybersecurity

Letting me have image editing software was a mistake

Updates get MitM'd by middleboxes (using shitty certs) all the time. This is why update packages are digitally signed and why many vendors simply use plain HTTP for delivery.

Yet for some reason Crowd Strike marked this as high severity with a CVSS vector indicating MitM -> full system compromise...

CVE-2025-1146