“CrowdStrike Earnings: Cybersecurity Firm Posts Higher Revenue Amid Swing to Loss - WSJ”

https://www.wsj.com/business/earnings/crowdstrike-raises-outlook-post-higher-revenue-amid-swing-to-loss-dde5cf9f

So, I've long argued that all of software dev's dysfunctions can be traced to the fact that business outcomes do not depend on software quality, design, or reliability. As long as this dynamic continues the software we use will only get worse

New PE Vulnerability in Windows OS! https://ssd-disclosure.com/ssd-advisory-ksthunk-sys-integer-overflow-pe/

Earlier post, but in recent talks I'm encountering more and more organizations that are losing their last technical people. You can outsource a lot, but most places have a core thing that they should really own. And once your own technical department is no longer viable, you are hosed. The longer story: https://berthub.eu/articles/posts/your-tech-my-tech/

thesis: numbers stations are a form of microblogging

New post: Vulnerability Disclosure: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591) https://insinuator.net/2024/11/vulnerability-disclosure-command-injection-in-kemp-loadmaster-load-balancer-cve-2024-7591/

What, it's already this time of the year again?! Yes, 'tis the season of reviewing and selecting our top picks from around 3.000 #demoscene productions - and we would love to have you on the team as a juror! Sign up now:
https://2025.meteoriks.org/taking_part/juror/

CFP window ends this friday! We have ~50 submissions so far -- competitive but not so busy that a high quality talk can't rise to the top, make sure to get your submission in soon.

https://sessionize.com/re-verse

Microsoft: "we had one #PatchTuesday yes, but what about second Patch Tuesday?"

• CVE-2024-49053 (7.6 high) Microsoft Dynamics 365 Sales Spoofing Vulnerability
• CVE-2024-49035 (8.7 high) Partner.Microsoft.Com Elevation of Privilege Vulnerability (EXPLOITATION DETECTED FLAG)
• CVE-2024-49038 (9.3 critical) Microsoft Copilot Studio Elevation Of Privilege Vulnerability
• CVE-2024-49052 (8.2 high) Microsoft Azure PolicyWatch Elevation of Privilege Vulnerability

Only CVE-2024-49053 has any substantial information in their FAQ section. CVE-2024-49035 is "not exploited" but "exploitation detected" 🤔 (analyst comment: likely a gaffe). The rest are Not Exploited, Not Publicly Disclosed, and Exploitation Less Likely.

#microsoft #vulnerability #CVE #infosec #cybersecurity #copilot #dynamics365 #azure

Gotta love IoT stuff

Splunk security advisories since apparently they missed #PatchTuesday and everyone wants to push to prod before Thanksgiving:

• SVD-2024-1101 Third-Party Package Updates in Python for Scientific Computing - November 2024 (1 CVE)
• SVD-2024-1102 Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 (3 CVEs)

No mention of exploitation.

#splunk #vulnerability #cve #infosec #cybersecurity

GitLab security advisory: GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5

• CVE-2024-8114 (8.2 high) Privilege Escalation via LFS Tokens
• CVE-2024-8237 (6.5 medium) Denial of Service (DoS) through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file.
• CVE-2024-11669 (6.5 medium) Unintended Access to Usage Data via Scoped Tokens
• CVE-2024-8177 (5.3 medium) Gitlab DOS via Harbor registry integration
• CVE-2024-1947 (4.3 medium) Resource exhaustion and denial of service with test_report API calls
• CVE-2024-11668 (4.2 medium) Streaming endpoint did not invalidate tokens after revocation

No mention of exploitation.

#gitlab #vulnerability #cve #patchtuesday

XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project that allows attackers to download any file on the server. XBOW combined a series of URL encodings and path normalization bypasses to trigger the flaw. Users of versions 4.3–5.3 should upgrade.