We are pleased to announce the completion of security audit of PHP core!
Executed by @quarkslab in partnership with @ostifofficial and commissioned by the @sovtechfund.

Learn more: https://thephp.foundation/blog/2025/04/10/php-core-security-audit-results/

DECORE posted some ADCS magic but I couldn’t yet figure out how to switch language o.O

https://devco.re/blog/2025/04/10/taking-over-the-entire-domain-in-minutes-what-have-you-overlooked-in-active-directory/

Edit: This doesn’t seem like anything Earth-shattering, but a nice summary of state of ADCS security (spoiler: it is bad)

TIL PHP OpCache has a Lua interpreter embedded o.O

https://github.com/php/php-src/blob/master/ext/opcache/jit/ir/dynasm/minilua.c

After installing April's updates, Windows 10 and 11 systems now have an empty C:\inetpub directory.

This seems... unexpected?

🚨 New advisory was just published! 🚨

A critical Remote Code Execution (RCE) vulnerability has been discovered in Calix. This vulnerability arises due to improper sanitation of user input in a CWMP (CPE WAN Management Protocol) service. Exploiting this flaw allows an attacker to execute arbitrary system commands with root privileges, leading to full system compromise: https://ssd-disclosure.com/ssd-advisory-calix-pre-auth-rce/

I just published a post on my blog about the IBM i 7.6 announcement - enjoy!

https://www.ibmi4ever.com/posts/20250409-ibmi-76-has-been-announced/

#IBMi #ACS

Static Analysis via Lifted PHP (Zend) Bytecode | Eptalights https://eptalights.com/blog/04-php-support

Our new Testing Handbook section on snapshot fuzzing helps security engineers test software that's traditionally difficult to analyze, such as kernel components and antivirus, where a single crash can take down the entire system.

Snapshot fuzzing captures memory and register states at critical execution points, allowing security engineers to:

- Test thousands of code paths without time-consuming system restarts
- Ensure fully deterministic testing where the same input always produces the same result
- Eliminate unreproducible crashes by starting each test from identical states
-Easily track code coverage and detect failures in emulated environments

In this section, we provide step-by-step instructions for building custom harnesses, fuzz campaigns, and more using What the Fuzz (wtf), an open-source snapshot-based fuzzer.

https://blog.trailofbits.com/2025/04/09/introducing-a-new-section-on-snapshot-fuzzing-for-kernel-level-testing-in-the-testing-handbook/

New blog post: With Carrots & Sticks - Can the browser handle web security? https://frederikbraun.de/madweb-keynote-2025.html - This is the blog version of my keynote from MADWeb 2025 earlier this year. It's about how web security could become the browser's responsibility.

okay. if you ever want to get the previous version of a file that Windows Update has updated, do i have an utility for you https://github.com/whitequark/ApplyDeltaB

We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI: https://scc.binary.ninja/ (Source: https://github.com/Vector35/scc)

Seriously, this HAS to be insider trading.

Come on! First you announce tariffs, every stock tanks, you play the hard to get dude and proclaim with a swollen chest that there will be no delays, everything tanks even more.

And now you delay everything by 90 days? In the mean time your buddies bought everything at a low and now the stock recovers.

Come the fuck on!

pleased to hear the penguins have won the trade bargains

#USpolitics #USpol

NEW: A recently published court document shows the locations of WhatsApp victims targeted with NSO Group's spyware.

The document lists 1,223 victims in 51 countries, including Mexico, India, Morocco, United Kingdom, United States, Spain, Hungary, Netherlands, etc.

This targeting was over a span of around two months in 2019, according to WhatsApp's lawsuit against NSO Group.

http://techcrunch.com/2025/04/09/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware/

Just saw it mentioned on LWN, handy site for checking which distros enable a certain config option: https://oracle.github.io/kconfigs/?config=UTS_RELEASE&... Just replace UTS_RELEASE with whatever config option name minus CONFIG_, for example: https://oracle.github.io/kconfigs/?config=CFI_CLANG&...

Splitting water into hydrogen and oxygen takes more energy than it theoretically should, which is partly why it's not used on a large scale to generate hydrogen fuel.

Now scientists know why – and it's all down to a feat of nanoscale gymnastics.

https://physicsworld.com/a/splitting-water-takes-more-energy-than-theory-predicts-and-now-scientists-know-why/

#physics #chemistry #science

🔴 Our @reconmtl talk of last year has been published!

"Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code"

Check it out: https://www.youtube.com/watch?v=0lrhCV14nVE