XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

https://www.openwall.com/lists/oss-security/2025/04/03/1

"Our belief is that it's highly impractical to exploit on 64-bit systems
where xz was built with PIE (=> ASLR), but that on 32-bit systems,
especially without PIE, it may be doable."

@da_667 @Viss @cR0w @mttaggart I don't remember UPX unpacker vulns in FE specifically, but this old P0 post is still a fun read:

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

Edit: it seems they needed a (rather trivial) privesc in case of FE, so give credit where it's due ;)

https://project-zero.issues.chromium.org/issues/42452189

@Viss @da_667 @cR0w @mttaggart FTR it was Felix Wilhelm (who then went to big G) and these seem to be the slides:

https://ernw.de/download/ERNW_44CON_PlayingWithFire_signed.pdf

@mttaggart @cR0w I don't want unicorns, I just would like to see that shitty security QA has consequences on the market, regardless of technology.

The Exploit Development Life Cycle: From Concept to Compromise /by @chompie1337

https://www.youtube.com/watch?v=ce0bXORSMX4

Frida 16.7.0 is out w/ brand new APIs for observing the lifecycles of threads and modules, a profiler, multiple samplers for measuring cycles/time/etc., MemoryAccessMonitor providing access to thread ID and registers, and more 🎉 https://frida.re/news/2025/03/13/frida-16-7-0-released/

@cR0w How can this company still exist?

#NotepadPlusPlus v8.7.9 released.
The author is totally my spirit animal.
#arm64 #windows #freeware

https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/ https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/

Edit: we is fedi-trending, guyzz! 🤗

@swapgs well this is my code so :D

[RSS] Finding an Unauthenticated RCE nday in Zendto, patched quietly in 2021. Lots of vulnerable instances exposed to the internet.

https://projectblack.io/blog/zendto-nday-vulnerabilities/

#NoCVE

@grumpygamer There’s an idea in advertising that this doesn’t matter because it raises brand awareness. This is backed by some studies that suggest that people will remember brands long after they forget why they remember the brand and, when presented with a choice, will favour things they recognise.

I did an experiment on myself to try to explain why I’d picked particular brands (particularly for new product classes) and found that it looked like this effect had worked on me. I started actively avoiding brands where I felt they had a good reputation but couldn’t explain why.

That was a bit exhausting so I came up with a new strategy: whenever I see an ad like this, I repeat ‘fuck {brand name}’ in my head until it goes away. Then, when I encounter that brand later, the collocation is automatically in my head and I just avoid any brands where that’s my subconscious response.

I'm sad to say that we're following the lead of many others and putting in proof-of-work proxies into place to protect ourselves against "AI" crawler bots. Yes, I hate this as much as you, but all other options are currently worse (such as locking us into specific vendors).

We'll be rolling it out on lore.kernel.org and git.kernel.org in the next week or so.

Another day, another bug...

In 2020, I solved a gnarly reverse engineering challenge in PlaidCTF. Only 9 teams solved.

It's a huge pile of Typescript. Everything is named after a fish.

The catch? There's no code, only types. How do they perform computation using just the type system?

(Spoiler: Circuits!)

@VeroniqueB99

High level diff of iOS 18.4 vs. iOS 18.5 beta 1 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/18_4_22E240__vs_18_5_22F5042g/README.md

@bradlarsen I (and SO) stand corrected then, thanks for the information!

We've been teasing it for a while, but the full features of Firmware Ninja are officially available on dev and will be in the 5.0 release later this month! Doing reverse engineering of embedded firmware? Check out how FWN can make your life better:

https://binary.ninja/2025/04/02/firmware-ninja.html

How can one engage in algorithmic sabotage to poison "AI" scrapers looking for images when one is running a static website? Thanks to @pengfold, I've implemented a quick and easy way for my own blog:

https://tzovar.as/algorithmic-sabotage-ii/

Also thanks to @rostro & @asrg for the pointers and discussion!

#ai #sabotage #luddite