[RSS] Finding an Unauthenticated RCE nday in Zendto, patched quietly in 2021. Lots of vulnerable instances exposed to the internet.

https://projectblack.io/blog/zendto-nday-vulnerabilities/

#NoCVE

@grumpygamer There’s an idea in advertising that this doesn’t matter because it raises brand awareness. This is backed by some studies that suggest that people will remember brands long after they forget why they remember the brand and, when presented with a choice, will favour things they recognise.

I did an experiment on myself to try to explain why I’d picked particular brands (particularly for new product classes) and found that it looked like this effect had worked on me. I started actively avoiding brands where I felt they had a good reputation but couldn’t explain why.

That was a bit exhausting so I came up with a new strategy: whenever I see an ad like this, I repeat ‘fuck {brand name}’ in my head until it goes away. Then, when I encounter that brand later, the collocation is automatically in my head and I just avoid any brands where that’s my subconscious response.

I'm sad to say that we're following the lead of many others and putting in proof-of-work proxies into place to protect ourselves against "AI" crawler bots. Yes, I hate this as much as you, but all other options are currently worse (such as locking us into specific vendors).

We'll be rolling it out on lore.kernel.org and git.kernel.org in the next week or so.

Another day, another bug...

In 2020, I solved a gnarly reverse engineering challenge in PlaidCTF. Only 9 teams solved.

It's a huge pile of Typescript. Everything is named after a fish.

The catch? There's no code, only types. How do they perform computation using just the type system?

(Spoiler: Circuits!)

@VeroniqueB99

AMD released an advisory for Ryzen AI with four sev:HIGH CVEs.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7037.html

High level diff of iOS 18.4 vs. iOS 18.5 beta 1 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/18_4_22E240__vs_18_5_22F5042g/README.md

@bradlarsen I (and SO) stand corrected then, thanks for the information!

We've been teasing it for a while, but the full features of Firmware Ninja are officially available on dev and will be in the 5.0 release later this month! Doing reverse engineering of embedded firmware? Check out how FWN can make your life better:

https://binary.ninja/2025/04/02/firmware-ninja.html

How can one engage in algorithmic sabotage to poison "AI" scrapers looking for images when one is running a static website? Thanks to @pengfold, I've implemented a quick and easy way for my own blog:

https://tzovar.as/algorithmic-sabotage-ii/

Also thanks to @rostro & @asrg for the pointers and discussion!

#ai #sabotage #luddite

Jenkins released a security advisory with 9 CVEs across 8 vulns, 1 of which is sev:HIGH and the rest are sev:MED.

https://www.jenkins.io/security/advisory/2025-04-02/

[RSS] What keeps kernel shadow stack effective against kernel exploits?

https://tandasat.github.io/blog/2025/04/02/sss.html

LLM use case: as "github syntax highlighter" doesn't give very good results when I try to find out what GitHub specifically uses, I turned to FastGPT.

Its answer ("Tree-sitter grammars are used for syntax highlighting") was wrong, while pointed to the correct SO answer (pointing to Linguist) as a reference:

https://stackoverflow.com/questions/8886360/what-javascript-syntax-highlighter-does-github-use

It's time to explain Thunderbird's relationship to Mozilla again.

Thunderbird is in its own legal entity - MZLA Technologies and is governed in part by a Community Council elected by and from our open source contributors.

Thunderbird is currently 100% donation-funded. We do not receive any money outside what our donors give us.

This is good for Thunderbird and makes us unique. Our whole structure only works to serve the interests of our users and contributor community.

70 DIY Synths on One Webpage

https://hackaday.com/2025/04/02/70-diy-synths-on-one-webpage/

It seems like it's been a while since I've seen a SquirrelMail vuln.

sev:HIGH 7.2 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

https://squirrelmail.org/security/issue.php?d=2025-04-02

mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.

https://nvd.nist.gov/vuln/detail/CVE-2025-30090

@cR0w as I understand this is just pw guessing no? The CVE seems shoehorned in as a buzzword...

@cR0w @pup @buherator @cy
FWIW, I did some testing with the eicar string in an AES-encrypted zip (via 7-zip)

• EICAR as eicar.com : Blocked
• EICAR as hello.txt : Allowed
• EICAR with an appended A as eicar.com : Blocked
• CRC32 collision as eicar.com: Blocked
• CRC32 collision as hello.txt: Allowed

So at least as of this specific test, it may be that the Gmail SMTP server is perhaps just using filenames for "blocking" the sending of mail.

And again, I use scare quotes around "blocked" as while the SMTP server does say that the message was blocked "because its content presents a potential security issue." But the email is indeed sent to the recipient., despite the warning.

@wdormann @cR0w @pup @cy Could you do a run with `7z -mhe=on`?