Windows Installer Custom Actions Privilege Escalation Vulnerability https://blog.doyensec.com/2024/07/18/custom-actions.html

Binary Ninja 4.1 (Elysium) is now live! With new control flow recovery, improved types, decompiling two new architectures, a native linux arm client, improved types across all platforms, and many more changes, it's got something for absolutely everyone.

https://binary.ninja/2024/07/17/4.1-elysium.html

I finally got around to setting up a personal website / blog again!

It's at https://serd.es because I bought the domain years ago planning to do this and only recently had the time to sit down and make it happen.

I kicked it off with a short series introducing the major parts of the embedded platform I'm building, but I'll try and do more in-depth posts in the future about stuff I'm working on that's not practical to do in a toot. Generally speaking I'll continue to post live updates here and the blog will be for slightly more finished milestones or subsystem completions.

Feedback (on content or site structure/layout) welcome, I'm not a web dev!

I went with a blog-formatted fork of the GitHub Pages "hacker" theme but changed the font to be more readable than the monospace it used, and made a few other small tweaks. Fully static with no scripting (server or client side) whatsoever, just build-time templating to generate static HTML.

CVE-2024-20401: Cisco Secure Email Gateway Arbitrary File Write Vulnerability

CVSS Base 9.8: Critical

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH

I’m sure @screaminggoat already alerted about this and I missed it, but here you go.

Actually there’s a whole slew of Cisco advisories today. Check them out here.

#CVE_2024_20401 #Cisco #Vulnerability

Cisco just disclosed a maximum-security vulnerability in its on-premises Smart Software Manager. It allows threat actors to log into the device as an existing user. It's still not clear to me what harm the threat actor could do, since the purpose of this device is to provide a dashboard of licenses. Cisco says:

"A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

But I still don't know if this means the hacker can only enumerate Cisco products used or something more harmful.

Can anyone help?

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy

Creating an OCI image from source code that can run on any cloud could be very challenging. Quarkslab assessed the security of Cloud Native Builpacks, a tool for creating ready-to-use OCI images directly from source code. The report is available here: https://blog.quarkslab.com/audit-of-cloud-native-buildpacks.html

Interesting privacy evaluation of Topics API suggesting that privacy toll may be significant. This evaluation is based on a small dataset of browsing histories (n=1027). Do you think the results would hold for realistic datasets? I have some doubts (from experience of work on 200k bigger dataset). However, such evaluations of the privacy-utility tradeoff are unambiguously needed, and good. https://arxiv.org/pdf/2403.19577v1

Electron Userland just released a patch for a code signature bypass in electron-updater for Windows I found a few weeks back (CVE-2024-39698): https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq. I'll likely publish a write-up in the coming weeks, it's a fun one ;-)

At some point in the past I had outlined how "BYOVD protection" is a lie. If you're bringing your own driver, you're an admin. And if you're an admin, you can do what you want.

After much unnecessary delay, here is the second part of my blog series, which dives into the blurry lines between "vulnerable" and "not vulnerable" when it comes to Windows drivers.

TL;DR: In some future version of Windows, we may see "vulnerable driver" being able to be defined in a way that it could be protected against. But in the current world that we live in, BYOVD protection simply makes no sense.
https://vu.ls/blog/byovd-protection-is-a-lie-pt2/

Some great research from Germany. The journalists were able to get a “preview” from a data broker with locations of 11 million German advertising IDs over the period of two months. For free, no questions asked, merely claiming to be interested in buying a subscription.

The dataset appears to be compiled from multiple sources and has some quality issues: some locations are only approximate, occasional wrong timestamps, duplicate entries with different advertising IDs. Yet in many cases it is easily possible to find the person behind the movement profile and to learn details about their lives that definitely weren’t meant to be public knowledge.

That’s your installed apps (or rather advertising SDKs they are built with) selling whatever data they can get to anyone willing to pay. I wish I could recommend disabling GPS and the issue is solved. But even though GPS is the source of the most precise location data, it isn’t the only one. The data broker industry is out of control.

https://netzpolitik.org/2024/databroker-files-firma-verschleudert-36-milliarden-standorte-von-menschen-in-deutschland/

#privacy

🔴 Check out our presentation at @passthesaltcon:

Path Of rev.ng-ance: From Raw Bytes To CodeQL On Decompiled Code (30 minutes)

https://passthesalt.ubicast.tv/videos/2024-path-of-revng-ance-from-raw-bytes-to-codeql-on-decompiled-code/