Fact checking my exploit against the Erlang SSH bug and the blog I'm reading uses git to checkout OTP... then proceeds to ask ChatGPT to write a tool to diff the files between the versions... in git. What's worse is that the CVE reference that they link to has always had the exact commit of the fix.

🌐 Tor Browser 14.5 is here! Major improvements include:
• Connection Assist now on Android
• Added Belarusian, Bulgarian & Portuguese
• Improved log readability
• Better performance when quitting the app
Update today! #PrivacyMatters
https://blog.torproject.org/new-release-tor-browser-145/

Reverse engineering the obfuscated TikTok VM

https://github.com/LukasOgunfeitimi/TikTok-ReverseEngineering

#HackerNews #ReverseEngineering #TikTok #VM #Obfuscation #CyberSecurity #TechInsights

Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.

https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/

I’m a bit tired of all of the ‘look, the USA did these terrible things in the past, this isn’t new’ posts.

The past was pretty awful, for most people. This wasn’t unique to the USA. Russia didn’t abolish serfdom until 1861, until the peasants were owned by the land (and this by the landowners). The UK didn’t allow all people over the age of 18 to vote until 1969.

The fact the past was terrible is not a surprise to anyone who has paid attention to any period in history in any country.

The important thing was the direction. The kind of racism and homophobia that were normal in the 1970s had at least become things that people would criticise by the late 1990s, even if they weren’t eliminated. Jim Crow laws, sodomy laws, and so on had long shadows but were at least being removed from the statute books.

Progress was a lot slower than many of us would have liked, but it was at least moving in the right direction. Not everyone was able to enjoy all of the freedoms that a modern society should convey, but more people were every year. Even bigots had smaller sets of people that they considered not to count as people each year.

The change that people are complaining about is reversing the direction of travel. The fact that things were bad in the past doesn’t contradict this. The thing we’re upset about is not that the current state is new, it’s the exact opposite: that we are returning to a state that we should have moved on from.

The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks

https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks?utm_medium=feed

> Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.

This was an excellent article covering an area that definitely has not gotten enough attention, especially coupled with Vibe Coding.

SlopSquatting... What an excellent name!

#Socket #SlopSquatting #Cybesecurity

[oss-security] CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass

https://www.openwall.com/lists/oss-security/2025/04/18/3

"servers could abuse the unbounded deserialization *in the client* to provide malicious responses that may eventually cause arbitrary code execution on the client"

"The project is considering to [...] drop this part of the NMS API altogether."

@tychotithonus Straight to jail.

Proper root cause analysis of the Erlang/OTP SSH bug (CVE-2025-32433):

https://www.openwall.com/lists/oss-security/2025/04/18/2

I spent all morning trying to decode the Apple Positional Audio Codec (APAC)’s GlobalConfig from its MPEG4 Sample Description Box (stsd).

If you want to follow along:

• the codec is in /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs
• See apac::GlobalConfig::Serialize and apac::GlobalConfig::Deserialize
• If you need a sample file: afconvert -o sound.m4a -d apac -f mp4f sound.wav
• Or grab a sample file from https://trac.ffmpeg.org/ticket/11480
• Pull the stsd from the m4a with mp4extract --payload-only moov/trak[0]/mdia/minf/stbl/stsd/apac sound.m4a sound_config.bin
• The config starts after dapa then 4 0x00 bytes
• First two bytes of the apac bitstream are 0x08 0x00 (see IsAPACBitstreamVersionValid / ACAPACBaseEncoder::GetMagicCookie)
• followed by the GlobalConfig

If you know, you know...

Released new Pwndbg: 2025.04.18

It adds display of breakpoints in the disasm view, new libcinfo command, improves attachp & hexdump commands, UI, TUI and more. Also, command names use "-" istead of "_" now for consistency.

Read more and download it on https://github.com/pwndbg/pwndbg/releases/tag/2025.04.18 !

#pwndbg #gdb #binaryexploitation #ctf #security #tools

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

TIC80 jam just kicked off, with a DJ set from Commander Homer!

https://streaming.media.ccc.de/revision2025/revision

#Revision2025

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

CVE-2025-25364: Speedify VPN MacOS privilege Escalation https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/

Take Action: Defend the @internetarchive - https://blog.archive.org/2025/04/17/take-action-defend-the-internet-archive/ "This lawsuit is an existential threat to the Internet Archive and everything we preserve—including the Wayback Machine, a cornerstone of memory and preservation on the internet." please sign the open letter if you can

Fun fact:

💁 The oldest known buffer overflow vuln dates back to UNIX V6 login

💁‍♀️ It appeared in a 1981 post by Truscott & Ellis (better known for inventing Usenet)

💁‍♂️ The next overflow vuln was fingerd, 1988

Bonus fact:

🙅 The login vuln isn’t real:

https://www.tuhs.org/cgi-bin/utree.pl?file=V6/usr/source/s1/login.c

Multiple vulnerabilities in libxml2 https://www.openwall.com/lists/oss-security/2025/04/17/3
CVE-2025-32414: Buffer overflow when parsing text streams with Python API
Python Package Index contains outdated and unsanctioned vulnerable upload
CVE-2025-32415: Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables