Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.

https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/

I’m a bit tired of all of the ‘look, the USA did these terrible things in the past, this isn’t new’ posts.

The past was pretty awful, for most people. This wasn’t unique to the USA. Russia didn’t abolish serfdom until 1861, until the peasants were owned by the land (and this by the landowners). The UK didn’t allow all people over the age of 18 to vote until 1969.

The fact the past was terrible is not a surprise to anyone who has paid attention to any period in history in any country.

The important thing was the direction. The kind of racism and homophobia that were normal in the 1970s had at least become things that people would criticise by the late 1990s, even if they weren’t eliminated. Jim Crow laws, sodomy laws, and so on had long shadows but were at least being removed from the statute books.

Progress was a lot slower than many of us would have liked, but it was at least moving in the right direction. Not everyone was able to enjoy all of the freedoms that a modern society should convey, but more people were every year. Even bigots had smaller sets of people that they considered not to count as people each year.

The change that people are complaining about is reversing the direction of travel. The fact that things were bad in the past doesn’t contradict this. The thing we’re upset about is not that the current state is new, it’s the exact opposite: that we are returning to a state that we should have moved on from.

[oss-security] CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass

https://www.openwall.com/lists/oss-security/2025/04/18/3

"servers could abuse the unbounded deserialization *in the client* to provide malicious responses that may eventually cause arbitrary code execution on the client"

"The project is considering to [...] drop this part of the NMS API altogether."

@tychotithonus Straight to jail.

Proper root cause analysis of the Erlang/OTP SSH bug (CVE-2025-32433):

https://www.openwall.com/lists/oss-security/2025/04/18/2

I spent all morning trying to decode the Apple Positional Audio Codec (APAC)’s GlobalConfig from its MPEG4 Sample Description Box (stsd).

If you want to follow along:

• the codec is in /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs
• See apac::GlobalConfig::Serialize and apac::GlobalConfig::Deserialize
• If you need a sample file: afconvert -o sound.m4a -d apac -f mp4f sound.wav
• Or grab a sample file from https://trac.ffmpeg.org/ticket/11480
• Pull the stsd from the m4a with mp4extract --payload-only moov/trak[0]/mdia/minf/stbl/stsd/apac sound.m4a sound_config.bin
• The config starts after dapa then 4 0x00 bytes
• First two bytes of the apac bitstream are 0x08 0x00 (see IsAPACBitstreamVersionValid / ACAPACBaseEncoder::GetMagicCookie)
• followed by the GlobalConfig

If you know, you know...

Released new Pwndbg: 2025.04.18

It adds display of breakpoints in the disasm view, new libcinfo command, improves attachp & hexdump commands, UI, TUI and more. Also, command names use "-" istead of "_" now for consistency.

Read more and download it on https://github.com/pwndbg/pwndbg/releases/tag/2025.04.18 !

#pwndbg #gdb #binaryexploitation #ctf #security #tools

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

TIC80 jam just kicked off, with a DJ set from Commander Homer!

https://streaming.media.ccc.de/revision2025/revision

#Revision2025

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

CVE-2025-25364: Speedify VPN MacOS privilege Escalation https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/

Take Action: Defend the @internetarchive - https://blog.archive.org/2025/04/17/take-action-defend-the-internet-archive/ "This lawsuit is an existential threat to the Internet Archive and everything we preserve—including the Wayback Machine, a cornerstone of memory and preservation on the internet." please sign the open letter if you can

Fun fact:

💁 The oldest known buffer overflow vuln dates back to UNIX V6 login

💁‍♀️ It appeared in a 1981 post by Truscott & Ellis (better known for inventing Usenet)

💁‍♂️ The next overflow vuln was fingerd, 1988

Bonus fact:

🙅 The login vuln isn’t real:

https://www.tuhs.org/cgi-bin/utree.pl?file=V6/usr/source/s1/login.c

Multiple vulnerabilities in libxml2 https://www.openwall.com/lists/oss-security/2025/04/17/3
CVE-2025-32414: Buffer overflow when parsing text streams with Python API
Python Package Index contains outdated and unsanctioned vulnerable upload
CVE-2025-32415: Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables

It was only a matter of time - a contracted, approved grant to the Internet Archive was cut with no warning.

https://sfstandard.com/2025/04/17/doge-neh-funding-cuts-sf/

The first edition of the #CHERIoT book has been published!

The eBook editions are available for purchase now from a few retailers, print editions will take a bit longer to appear (up to two weeks). And, of course, the drafts of the second edition remain free (HTML, ePub, PDF) from the CHERIoT site

Thanks to Discribe Hub for funding a lot of the work on this edition!

@swapgs @raptor exactly!

@raptor I know I should be impressed by the LLM, but without actual analysis I feel we just took another step toward making everyone dumber...

oss-security - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://www.openwall.com/lists/oss-security/2025/04/18/1

Exploit published ^