Dutch researchers @midnightbluelab
found a critical zero-click vuln in a photo app enabled by default on Synology storage devices, putting millions of systems at risk of being hacked. They found Synology systems owned by police/law firms/critical infrastructure contractors online and all vulnerable to attack. Synology has called the vuln "critical" and issued a patch last week but apparently didn't notify customers. Synology devices don't have automated update capabilities. Here's my story: https://www.wired.com/story/synology-zero-click-vulnerability/

Early 2020 I wrote this blog post about how #Microsoft #OneDrive exports malformed #ZIP files that cannot be unzipped by widely-used tools (this only happens for large, > 4GB ZIP files):

https://www.bitsgalore.org/2020/03/11/does-microsoft-onedrive-export-large-ZIP-files-that-are-corrupt

Fast-forward 4.5 years, and Microsoft *still* hasn't fixed this!

Just ran into this again with a 6.5 GB file! Luckily the Fix-OneDrive-Zip tool by Paul Marquess helped me out again:

https://github.com/pmqs/Fix-OneDrive-Zip

#wtfZIP #wtfMicrosoft

Quick, release your #0day, US is preoccupied with the election! ;)

[RSS] iPod Clickwheel Games Preservation Project

https://hackaday.com/2024/11/04/ipod-clickwheel-games-preservation-project/

Was it a mistake to teach fonts how to think? https://github.com/nevesnunes/z80-sans

[RSS] Introducing lightyear: a new way to dump files in PHP

https://www.ambionics.io/blog/lightyear-file-dump

✍️ Debugging the Windows Hypervisor: Inspecting SK Calls by @dor00tkit

https://dor00tkit.github.io/Dor00tkit/posts/debugging-the-windows-hypervisor-inspecting-sk-calls/

Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

In a new Q&A, Philip Bump, columnist for The Washington Post, reflects on why archiving the news goes beyond saving stories. From holding leaders accountable to capturing moments in culture, Bump shares insights on the need to preserve digital media. #VanishingCulture

🔗 https://blog.archive.org/2024/11/04/vanishing-culture-qa-with-philip-bump-the-washington-post/

New assessment for topic: CVE-2024-37404

Topic description: "Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution. ..."

"Ivanti Connect Secure versions prior to 22.7R2.1 and 22.7R2.2, and Ivanti Policy Secure versions prior to 22.7R1 are vulnerable to [CRLF injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection), which leads to remote code execution with the privileges of the user `root` ..."

Link: https://attackerkb.com/assessments/34ea5769-e0d6-4c65-bfc3-510c679ef515

Don’t miss out—RE//verse tickets are on sale now! https://shop.binary.ninja/products/re-verse

funny one

https://bird.makeup/@spendergrsec/1851625943237902784

Announcement: ph0wn registration is opening today at 2pm!

The Ph0wn/Pico fan shop is already open. You'll find there hoodies, t-shirts, bags and many other items with or without @picolecroco . All items are sold at cost price and there's a 25% discount for 10 days.
Wear your item on the day of ph0wn!

https://ph0wn.myspreadshop.fr/

#ph0wn #registration #workshop #shop

I have written a copyleft #chiptune and #lofi album for the upcoming Radare2 conference: https://rada.re/con/2024/

Enjoy!

https://darkharmony.bandcamp.com/album/r2con-2024

#electronic #chiptune #radare2 #r2 #r2con #r2con2024

Hotdog or not hotdog?? 🌭

Let's take a look into a machine learning app that can detect hotdogs. How does it work? Can we change it into a pizza detector 🍕 app?

https://youtu.be/e2kosWm2vag
#reverseengineering #reversingshorts

🔥💀After 40 hours of constant reversing of weird looking c++ and no sleep, I Finally cooked the
CVE-2024-47575 fortimanager unauthenticated RCE 🩸

https://bird.makeup/@watchtowrcyber/1853262240822276534

[RSS] TLS 1.3 Hybrid Key Exchange using X25519Kyber768 / ML-KEM

https://www.netmeister.org/blog/tls-hybrid-kex.html

#cryptoraphy #tls #pqcrypto

[RSS] Reverse-engineering what a "short" section is

https://devblogs.microsoft.com/oldnewthing/20241029-00/?p=110436

#PowerPC #PPC #Itanium

[RSS] I have enabled "take ownership" permission, but I still cannot obtain write access

https://devblogs.microsoft.com/oldnewthing/20241030-00/?p=110440

Code auditing is not the same as vulnerability research

https://pacibsp.github.io/2024/code-auditing-is-not-the-same-as-vulnerability-research.html