Another year, another Microsoft Most Valuable Researcher for me. This year, it has a bittersweet taste though.

Let’s kick off with the sweet part.

I’m quite happy with my consistency and findings. My record for 2024:
- 10x Exchange
- 2x SharePoint
- 1x .NET/VS

Multiple RCEs included.

I have also already reported several vulns for 2025, and I’m happy with the technical level of the findings. Not necessarily with the impact, but you don’t always get RCE;). I’m especially happy with the fact that I’m doing some risky deep dives, and sometimes it pays off.

I’m also happy with some recent research. I’ve been abusing unknown attack surfaces and I had some success with that (even though I was not familiar with the target). At least some of them are unknown according to my knowledge, so even if they are known, it does not count, right? :)

Now the bitter part.

Over the entire year, I had an impression that MSRC leaderboard is missing points for the majority of my submissions. I was signalizing this issue a couple of times, but with no effect. I was even not on the initial MVR list.

After my small tweet, some of my missing points were found and I eventually made it to the list (thx MSRC for this intervention). The truth is – the list is not so important to me. I like to think about vuln disclosure as some mutually respected process.

I’m not collecting bounties (reporting as ZDI) and the only thing I want in return for my submissions is a proper acknowledgment. I think that this process failed in 2024, but I hope it will eventually get better. I have impression that I should have way more points, but whatever.

Another part – several of my submissions were rejected as an expected behavior. Not a nice feeling, but it’s a part of the game. I can see a lot of tweets about dropped submissions and this part concerns everybody. From my perspective, reporting of .NET vulns is hardest.

I have a small perception that if you cannot exploit something that you consider a .NET vuln in Exchange or SharePoint, it’s probably going to be ignored (based on my experience only). Well guess what, there are different products/apps based on .NET too :D

To sum up, quite a good year. Hoping to have an even better 2025, although my Exchange run from 2023/2024 will be hard to repeat.

I hope to deliver some nice research and to see you next year during conferences or wherever. Cheers

Here's one way to view the 28 transfer protocols #curl supports.

Google Chrome security advisory: Stable Channel Update for Desktop
Google does not know how to count past five as they state 5 security fixes but list 6 externally reported vulnerabilities:

1. CVE-2024-7532 (critical) Out of bounds memory access in ANGLE
2. CVE-2024-7533 (high) Use after free in Sharing.
3. CVE-2024-7550 (high) Type Confusion in V8.
4. CVE-2024-7534 (high) Heap buffer overflow in Layout
5. CVE-2024-7535 (high): Inappropriate implementation in V8
6. CVE-2024-7536 (high) Use after free in WebAudio.

No mention of exploitation.

#CVE_2024_7532 #Google #Chrome #PatchTuesday #vulnerability #CVE

Parody site ClownStrike refused to bow to CrowdStrike’s bogus DMCA takedown

Parody site ClownStrike defended the "obvious" fair use.

https://arstechnica.com/tech-policy/2024/08/parody-site-clownstrike-refused-to-bow-to-crowdstrikes-bogus-dmca-takedown/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

After months of digging and reporting, I have learned where Facebook's bizarre AI spam (like "Shrimp Jesus") comes from, who is making it, how it works, and how it is monetized.

Turns out Meta is directly paying people to spam FB with this stuff

https://www.404media.co/where-facebooks-ai-slop-comes-from/

Mozilla Foundation security advisories:

• Security Vulnerabilities fixed in Firefox 129 14 vulnerabilities
• Security Vulnerabilities fixed in Firefox ESR 115.14 9 vulnerabilities
• Security Vulnerabilities fixed in Firefox ESR 128.1 12 vulnerabilities
• Security Vulnerabilities fixed in Firefox for iOS 129 4 vulnerabilities

No mention of exploitation

#Mozilla #Firefox #PatchTuesday #vulnerabilities #CVE

I have just added support in #Diaphora for #IDA 9.0 (currently in beta). I wrote the changes this weekend, but I had to test multiple things... anyway, enjoy it.

https://github.com/joxeankoret/diaphora/commit/232a2720d56d17acce809b6bf82a6a561c980d82

#ida90 #idapro

New fashion goals 💾

Last week, Public Citizen’s Rick Claypool and I filed a complaint with the Federal Election Commission based on my research into apparent campaign finance violations by the Coinbase cryptocurrency exchange.

Read the full complaint and my updated article.

Complaint: https://www.citizen.org/article/coinbase-fec-complaint/

Updated article: https://www.citationneeded.news/coinbase-campaign-finance-violation/

#crypto #cryptocurrency #Coinbase #Fairshake #USpol #USpolitics

Resorts World Las Vegas announced they're performing periodic room checks for the duration of the blackhat / defcon hacking conference. When asked what they are looking for, one of the employees responded with "people hacking our stuff" ☠️

Reminds me of that old blog post by some dude who got pulled aside by the TSA so they could search his bag for "bitcoins".

https://www.404media.co/hotel-to-search-rooms-during-def-con-hacking-conference/

The original Pentium chip was introduced in 1993. It was the first "superscalar" x86 chip, able to run two instructions per clock cycle. I took this die photo of the chip yesterday. The chip has three metal layers; the thick lines you see are the top metal layer, mostly power and ground. The silicon itself is almost entirely obscured. Around the edges of the chip, tiny bond wires connect to the bond pads, providing the connections to the chip's external pins. 1/N

Currently trending on the bad place (Twitter): Leaked Wallpaper
Proof of concept for CVE-2024-38100 (7.8 high, disclosed 09 July 2024 by Microsoft Windows File Explorer Elevation of Privilege Vulnerability.

This is a privilege escalation tool (fixed with CVE-2024-38100 in KB5040434) that allows us to leak a user's NetNTLM hash from any session on the computer, even if we are working from a low-privileged user.

#CVE_2024_38100 #microsoft #msrc #vulnerability #CVE #proofofconcept #PoC