God how I hate CSS

Being an exploit dev in 2025 allows you to write JavaScript professionally without having to use React, Node.js, or any library at all, really—there’s something beautiful about that

New Project Zero issue:

Android: SPF in AOSP 5.10/5.15 kernels can create dangling TLB entries by misdirecting TLB flushes on race with mremap() [and other miscellaneous issues in SPF]

https://project-zero.issues.chromium.org/issues/377569381

CVE-2025-0088

New Project Zero issue:

cvp: Incorrect bailout unwinding leads to UAF dangling list entry

https://project-zero.issues.chromium.org/issues/389724938

CVE-2024-38411

[RSS] Sitecore: Unsafe Deserialisation Again! (CVE-2025-27218)

https://slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/

Let me give you another peek into the everyday work of the #curl security team. A reported UAF we deem not a security problem:

https://hackerone.com/reports/3022041

When a newcomer shows up at a maker meetup, some come in with the attitude "I have this idea but I don't know how to build it to see if it's real" This is good! We're happy to introduce them to the resources they need and help as they learn.

But more frequently people come in with "I have this great idea, I JUST need somebody to build it for me." When we offered the same kind of help, it is rejected. "No I don't care about that, that's your job. I'm the ideas guy."

What did they think happens at a maker meetup? Did they think we were all sitting around idle and helpless "I wish somebody would walk in with an idea"?

Ha!

Everybody else here have their own list of project ideas to-do list. Longer than we'd ever get to finishing. Look at the table in front of you, full of stuff we've brought for show-and-tell. None of us needed "an ideas guy" that thinks execution is beneath them.

If I'm in a good mood, I would try to encourage them to further develop their idea while being firm I am absolutely not signing up to build it for them.

If I'm not in a good mood...

À propos of nothing, here's the inlay design of a _word processor_ app for the ZX Spectrum.

I never had a ZX Spectrum and don't have a need for an 8-bit word processor at the moment, but this design — as they say — goes hard.

Notice the word "PUNISHMENT" that's included in the design — for seemingly no reason at all.

I yearn for the alternate reality in which COMPACT OFFICE is what we use instead of boring MS Word and Google Docs.

#retrocomputing

The Meta Bug. The story of a bug that affects itself by preventing its own resolution.

https://obdev.at/blog/the-meta-bug

This was a really fun vulnerability to have the pleasure to consult on:

https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking

It turns out AES-CMAC is not second preimage resistant if you know the key (double so if the key is in an RFC), and 2048 bit numbers are quite often very easy to factor.

The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.

https://www.bleepingcomputer.com/news/security/us-charges-chinese-hackers-linked-to-critical-infrastructure-breaches/

You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking

New assessment for topic: CVE-2025-0282

Topic description: "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. ..."

"Microsoft released a report observing a state-sponsored actor called Silk Typhoon abusing this vulnerability, hence we added a the tag to reflect this ..."

Link: https://attackerkb.com/assessments/8dd72440-c8b5-41bb-a6c4-2396ca7e2f02

Criminalizing student protests? Suppression of academic freedom? We had all these in the Philippines years ago.

Professors and student protestors were "red tagged" as communists. Soldiers confiscated books from libraries they called subversive. Vandalism of libraries.

🧵

I look forward to Cellebrite's LLM being called as a witness during a trial.

https://www.404media.co/cellebrite-is-using-ai-to-summarize-chat-logs-and-audio-from-seized-mobile-phones/

‘The political press may not understand what’s happening (or may be too afraid to say it out loud), but those of us who’ve spent decades studying how technology and power interact? We see it and we can’t look away.
So, here’s the bottom line: when WaPo’s opinion pages are being gutted and tech CEOs are seeking pre-approval from authoritarians, the line between “tech coverage” and “saving democracy” has basically disappeared. It’s all the same thing.’
https://www.techdirt.com/2025/03/04/why-techdirt-is-now-a-democracy-blog-whether-we-like-it-or-not/

[RSS] New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails

https://www.elttam.com/blog/rails-sqlite-gadget-rce/

[RSS] Case Study: Traditional CVSS scoring missed this actively exploited vulnerability (CVE-2024-50302)

https://old.reddit.com/r/netsec/comments/1j3tvof/case_study_traditional_cvss_scoring_missed_this/

I've written a blog post on analysing and getting RCE on some of the bugs in the AIxCC Nginx challenge: https://roundofthree.github.io/posts/nginx-aixcc-pwn/

Any Apple engineer feel like debugging some hypervisor-related macOS kernel panic?

(Looks like failure by the guest to properly flush TLB panics the host, and seems easiest to repro on M2 Max?)

https://github.com/utmapp/UTM/issues/6919#issuecomment-2565338603