game i would like to play: Factorio but you *only* do compliance paperwork

I am mildly amused that OpenAI telemetry rollout led to a classical Kubernetes control plane DoS.

In my experience DDoSing your own control plane is the #1 way people generate large failures in K8s. What are others?

[RSS] The Full Story of CVE-2024-6386: Remote Code Execution in WPML

https://blog.wpsec.com/the-full-story-of-cve-2024-6386-remote-code-execution-in-wpml/

Hey y'all,

the https://madweb.work/ Program Committee was just announced (featuring yours truly).
Please remember to submit your papers about web security by January 9th 2025. We are interested in research at the junction of web & browser security. More on the website :)

[RSS] Having Fun with Flare-on Using Time-Travel Debugging (TTD)

https://binary.ninja/2024/12/16/flareon-ttd.html

[RSS] Authentication Bypass Vulnerability in Philips IntelliSpace Cardiovascular

https://outurnate.com/authentication-bypass-vulnerability-in-philips-intellispace-cardiovascular

[RSS] X41 Audited Backstage

https://x41-dsec.de/security/research/job/news/2024/12/16/backstage-review-2024/

CVE-2024-45815 CVE-2024-45816 CVE-2024-46976

A Struts bug:

https://github.com/TAM-K592/CVE-2024-53677-S2-067

The week before Christmas?

Oh my!

#java, #threatintel

[RSS] Linternals: Exploring The mm Subsystem via mmap [0x01]

https://sam4k.com/linternals-exploring-the-mm-subsystem-part-1/

[RSS] Hacking Kerio Control via CVE-2024-52875: from CRLF Injection to 1-click RCE

https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875

Feel old yet? The winrar registration nag screen is Electron these days.

EDIT: Whoops, it seems I'm wrong: This is just an embedded webview, which on Win10 is apparently chromium-backed (probably because it's Edge)

#Polish researchers have discovered components of a German #Enigma cipher machine, crucial to the Nazi wartime communications system, on Sobieszewska island near the city of Gdańsk. All in all, 8 rotors and various other parts were recovered. https://tvpworld.com/84053156/fragments-of-rare-german-enigma-machine-unearthed-in-poland

Teammate generated a song with LLM about a local charlatan, and I have to bow before the genius of the Machine:

"[Person] will be the wall
that guides us through the night!"

#IBMi is vulnerable to an authenticated user gaining elevated privilege to a physical file [CVE-2024-47104]

https://www.ibm.com/support/pages/node/7179158

Emphasis mine:

"A user with authority to a *view* can alter the based-on *physical file* security attributes without having object management rights to the physical file."

I wonder what other discrepancies there may be between Db2 and other interfaces.

One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.

In a recent audit, I found myself asking... What if you hashed null?

https://securinglaravel.com/security-tip-what-if-you-hashed-null/

#Laravel

Calling all Mystery AI Hype Theater 3000 fans! Have you found a piece of Fresh AI Hell but not known where to send it? Here's the spot:

https://thecon.ai/submit-fresh-ai-hell/

Help @alexhanna.bsky.social and me clean out the Fresh Hell by submitting it there!

DevOps practices are all well and good, but beware of the configuration of the tools that access your production.

I've written a blog post sharing some dangerous ways Argo CD can be configured, detailing the security impact: https://ledger.com/argo-cd-security-misconfiguration-adventures

#argocd #security #devops #devsecops

"I've learned today that you are sensitive to ensuring human readability."

And this comes from someone who's been writing #documentation professionally at #Microsoft! I'm at loss for words...

https://github.com/MicrosoftDocs/WSL/pull/2021#issuecomment-2548390973

Do you think it is reasonable to have UX/frontend specialists make decisions about the documentation of systems like WSL?

Serious question.

New Project Zero issue:

Linux: Panthor: racy panthor_vm_pool_get_vm() leads to UAF

https://project-zero.issues.chromium.org/issues/377500597

CVE-2024-53080