📰 BinaryFormatter removed from .NET 9

Starting with .NET 9, we no longer include an implementation of BinaryFormatter in the runtime. This post covers what options you have to move forward.

https://devblogs.microsoft.com/dotnet/binaryformatter-removed-from-dotnet-9/ #dotnet

Micropatches were released for Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)

Micropatches were released for "FakePotato" Local Privilege Escalation (CVE-2024-38100)

my university has converted our office telephones to Microsoft Teams. when i grumbled about this to a favourite sysadmin, this is how they responded 🔥

“Microsoft has actually brilliantly leveraged the lousy security landscape -- for which they are in no small part responsible -- to capture even larger market-share, as we now need commercial entities to produce the software required to protect us from their failures, and therefore need a more uniform environment to achieve the necessary scale. The uniformity then guarantees an ever greater scale for the inevitable conflagration. Monocultures guarantee one big fire instead of a bunch of small survivable ones. We really have no interest in learning from evolution, in no small part because it would produce fewer billionaires.

— Local Cranky IT Guy” [shared with permission]

#Enshittification

According to https://httparchive.org/reports/page-weight, the median weight in KB for web page tech on desktop:

Over the last 14.5 years:

HTML
2010: 20KB;
mid 2024: 33KB;
Increase of 65%.

Images
2010: 229KB;
mid 2024: 1,062KB;
Increase of 464%.

JavaScript
2010: 89KB;
mid 2024: 640KB;
Increase of 719%.

- - -

Over the last 9 years:

Video
mid 2015: 173KB;
mid 2024: 3,872KB;
Increase of 2,238%.

I reckon that in the era of AI the JS gradient is gonna steepen significantly

#climateDiary

Holy shit, the Rijksmuseum used a 100MP Hasselblad camera to take almost eight and a half THOUSAND photos of the whole of Rembrandt's The Night Watch, for a total image size of 717 GIGAPIXELS. 😳

It's on their website as a zoomable image and you can zoom in so far you can see the individual cracks in the paint: https://www.rijksmuseum.nl/en/stories/operation-night-watch/story/ultra-high-resolution-photo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
Hot off the press! CISA adds CVE-2024-38856 (CISA-ADP: 8.1 high) Apache OFBiz Incorrect Authorization Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation.

cc: @ntkramer @hrbrmstr

#CVE_2024_38856 #vulnerability #CVE #Apache #ofbiz #kev #cisa

We provisioned cloud infrastructure the Max Power way, showing that AI tools often generate code that works but has terrible security properties.
https://buff.ly/3X54ZSN

My understanding of the charges against Pavel Durov & Telegram
https://alecmuffett.com/article/110316
#EndToEndEncryption #PavelDurov #france #telegram

UPDATE: Chrome ZeroDay Vulnerabilities (CERT-EU Security Advisory 2024-088)

A critical zero-day vulnerability, CVE-2024-7971, has been identified and patched in Google Chrome. This marks the ninth such vulnerability discovered in 2024. The flaw, which has been actively exploited in the wild, is rooted in a type confusion issue within Chrome's V8 JavaScript engine. This vulnerability allows attackers to potentially execute arbitrary code on affected systems.
[New] On August 26, Google announced that it patched the tenth zero-day vulnerability in Chrome. This vulnerability is also reported as being exploited.

https://www.cert.europa.eu/publications/security-advisories/2024-088/

Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle https://blog.redteam-pentesting.de/2024/moodle-rce/

Critical Vulnerability in SonicWall SonicOS (CERT-EU Security Advisory 2024-089)

On August 23, 2024, SonicWall issued a security advisory regarding a critical access control vulnerability (CVE-2024-40766) in its SonicOS. This flaw could allow attackers to gain unauthorised access to resources or cause the firewall crash.
It is recommended updating as soon as possible.

https://www.cert.europa.eu/publications/security-advisories/2024-089/

I released a poc & some details for CVE-2024-38063, a RCE vuln in tcpip.sys patched by MS last week: https://github.com/ynwarcs/CVE-2024-38063

Analyzing and Exploiting CVE-2024-38063, an RCE Vulnerability In the Windows TCP/IP Stack

https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html

IBM issued a fix to CVE-2024-27275 that mitigates an #IBMi privilege escalation technique we published last year:

🥷https://blog.silentsignal.eu/2023/03/30/booby-trapping-ibm-i/
🧑‍🏭https://ibm.com/support/pages/node/7157637

The PTF restricts the use of the ADDPFTRG command - this is a breaking change documented in the Memo to Users.