You’d really think that the top seven blocked domains on @KagiHQ being @Pinterest indicate that a functional Google would have deboosted them years ago.

(I’m loving Kagi)

School's out, and so are the latest patches from #Microsoft. We're still waiting on the updates from #Adobe. Check out the analysis from @TheDustinChilds as he breaks down the small release from Redmond. https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review

#Microsoft patches are out. Another small release. Still waiting on #Adobe :-[ Let them patches out! I'll have my full analysis out soon. #PatchTuesday

[ZDI-24-598] (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability (CVSS 7.7; Credit: Uncodable)
https://www.zerodayinitiative.com/advisories/ZDI-24-598/

Mozilla Foundation security advisories:

• 2024-25 Security Vulnerabilities fixed in Firefox 127
• 2024-26 Security Vulnerabilities fixed in Firefox ESR 115.12

15 vulnerabilities in Firefox 127. 8 vulnerabilities in Firefox ESR 115.12. No mention of exploitation

#PatchTuesday #CVE #vulnerability #Firefox #Mozilla

Friendly reminder to submit to GreHack conference: https://grehack.fr/2024/cfp

What's different about GreHack?

- It's a simple one-track conference, but with large audience (usually sold out)
- There's usually a mixture between academic and non-academic presentations. This is enlightening.

On the non-technical side: people are very welcoming, the food is nice (especially for vegetarians), you'll see the snowy Alps, there's an excellent CTF.

#hacking #security #CFP

https://ioc.exchange/@matthew_d_green/112597849837858606

matts thread here is an important one

Tiny Awards https://lobste.rs/s/urihyy #web
https://tinyawards.net/

I’ve said before and saying again. This is a common problem in vendors - the lack of understandings of the importance/value of new attack vector discovery research.

https://x.com/l33d0hyun/status/1800299745623367867

https://bird.makeup/@l33d0hyun/1800299745623367867

it has been nearly three months since the last valid #hackerone report against #curl

Just saying.

I bet you can't find anything to report.

🤠

Hacker Template

https://patchfriday.com/64/

Did anyone realize that #MicrosoftEdge already had a #recall feature? 👀

good morning!
my talk from securityfest has been published!

if you have ~35 minutes and want to learn some stuff about adversarial defenses, have a peek!
https://www.youtube.com/watch?v=ShSR0c81h5U&ab_channel=SecurityFest

Google asks every app to have a Privacy Policy to be accepted in the Play Store. So, xScreenSaver had to write a privacy policy.

Here you go:

https://www.jwz.org/xscreensaver/google.html

NEW, by me: Mandiant says cybercriminals stole a "significant volume of data" from Snowflake customers.

Mandiant and Snowflake say they've notified 165 affected customers so far that their cloud-stored data may have been stolen.

Mandiant said the threat campaign was "ongoing," suggesting more victims to come.

More: https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates.

https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/

Uncovering a Critical Vulnerability in Authentik's PKCE Implementation (CVE-2023-48228) | Offensity https://www.offensity.com/en/blog/uncovering-a-critical-vulnerability-in-authentiks-pkce-implementation-cve-2023-48228/

If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. https://www.pentagrid.ch/en/blog/domain-verification-bypass-prevention-caa-accounturi/ #hardening

On a random note, mink (rewrite in Rust) is open-source

note: it’s what’s used for cross trust domain boundaries communication on the AP, but (AP <->) Hexagon uses a completely separate IDL (compiled w/ QAIC)

https://github.com/quic/mink-idl-compiler

AFL++ v4.21 release! Fixed a regression (+5%), better seed selection (+1%), many minor fixes, LLVM 19 support https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.21c #afl #fuzz #fuzzing #fuzzer #fuzzing-tools