Cheers to 11 years of AppSec Ezine! 🎉 Huge thanks to the security community for sharing and the supporters who made this journey possible. Here's to another year of knowledge-sharing! 🚀

572nd Edition: https://pathonproject.com/zb/?871f09331bbd8d13#6ahftCLH0VYSLjlk8M+FtRW8EibTcKL+J5qO7xUUPpk=

Repo: https://github.com/Simpsonpt/AppSecEzine

#AppSec #Security

The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

CVE-2025-21325 - 2025-Jan - ARM64 - Windows Secure Kernel Mode Elevation of Privilege

#ghidriff full diff 👀 https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e

Incorrect permission assignment? 🧐 https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e#skmicommitpte-diff

Please share: Our Max Planck Institute recently left X and is present here on Mastodon. Give them a follow! Beautiful pictures from the science of light!

#Mastodon #Physics #Science #Light #Quantum #Optics #Photonics #Pictures

@maxplanckgesellschaft

From: @MPI_ScienceOfLight
https://wisskomm.social/@MPI_ScienceOfLight/113906463840724222

You gotta be kidding me with this bullshit.

"But DeepSeek & Meta’s recent research suggests that more AI capabilities (& efficiency savings) could be gained by going down a more dangerous path — where AIs develop their own alien language."

The journalists amplifying this garbage will not be held accountable when the hype cycle is gone because the next cycle of journalists will do the same thing during the next hype cycle.

I don't want to amplify the article so not posting the actual article.

Alright, new rule.

NIST settled this shit before half of you twerps in NetSec or IT could drive.

If I have to change a password because it's expired one more fucking time, I am finding the least secure possible phrase that fits the security rules.

I don't even have to remember the damn things, the PM will take care of it, but you are burning my time that I'm already not being paid enough to give you.

PyPI's new archival feature lets maintainers explicitly signal when projects won't receive future updates. No more guessing about maintenance status - package users can now make clear, informed decisions about their dependencies.

https://blog.trailofbits.com/2025/01/30/pypi-now-supports-archiving-projects/

Brewster Kahle, the internet’s librarian

Brewster Kahle, founder of the Internet Archive, housed in a former San Francisco church with Greek columns that echo the ancient Library of Alexandria, discusses his three-decade mission to preserve humanity’s digital knowledge and culture. via @internetarchive

https://www.californiasun.co/podcast/brewster-kahle-the-internets-librarian/

Well done @brewsterkahle !!

#digital_library #librarians #publicdomain

I designed this open-source handheld Sokoban game back in 2023, but the original OLED display module is no longer available.

In a bid to revive the project, I did a major redesign for a new display module. You can now build your own - enjoy!

https://lcamtuf.coredump.cx/sir-box-a-lot/

Despite being central to their security, many orgs struggle to securely implement #OAuth. Our new post walks through common issues & how to prevent them, along with a useful checklist! Read it today & ensure your org is secure: https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

#doyensec #security #appsec

Coming up next:
the .EXE file format!

I think this goes without saying but please send me your weird encodings. I want to make Hackvertor better and malformed or strange encoding will help me do that so please message me.

A blog post on r2ai / decai by @pancake which shows decompiling to Swift :

https://www.nowsecure.com/blog/2025/01/29/decompiling-apps-with-ai-language-models/

#radare2 #decai #decompile #AI

important question for anyone good at x86. can microcode cache the top of the stack in processor registers for sufficiently nearby pushes and pops or do stack accesses always require a cache access no matter what

Does anyone know how to make the computer stop doing that

The history of the RAND Corporation is fascinating. And it isn't even a corporation! https://en.wikipedia.org/wiki/RAND_Corporation

Now accepting applications for our 2025 summer internship program!

Available tracks & examples:
AI/ML Security: Develop safety frameworks, conduct risk assessments
Application Security: Exploit kernel vulnerabilities, conduct code reviews, develop anti-DRM solutions
Blockchain: Enhance Slither/Echidna, shadow professional security audits
Cryptography: Build next-gen cryptanalysis tools, contribute to academic research
Operations: Drive strategic initiatives alongside our CEO

Details:
Duration: June - August 2025
Location: NYC or Remote
Direct mentorship from industry experts

Apply now: https://apply.workable.com/trailofbits/j/7476E8C7DC/

2024 was a significant year for decompilation, constituting a possible resurgence in the field. Major talks, the thirty-year anniversary of research, movements in AI, and an all-time high for top publications in decompilation.

Join me for a retrospective:
https://mahaloz.re/dec-progress-2024