A helpful PoC for Dropbear CVE-2025-47203 dropped on oss-security:

https://seclists.org/oss-sec/2025/q2/123

`dbclient 'localhost,|touch 123 '`

I'm at a meeting hosted by somebody else where they're using Microsoft Teams, and in the chat I attempted to share an image that is on my laptop. By clicking the + button and Attach file.

The result of doing this is that Teams puts the image in MY COMPANY'S SHAREPOINT SERVER, and nobody else in Teams can see the image because they DON'T HAVE AN ACCOUNT on my company's SharePoint server. 🤦‍♂️

Wonders:
1) Has anybody at Microsoft actually tried using Teams?
2) Why do people choose to use Teams?

Aside: If you copy an image and press Cmd - V to put the image in the chat, Teams actually... puts the image in the chat.

With 5.0, we’re open sourcing one of the oldest components of Binary Ninja: the Shellcode Compiler. It’s powered countless Compile C Source dialogs over the years, and now it’s yours to tinker with. Long term, we’re eyeing LLVM as a modern replacement. https://binary.ninja/2025/04/23/5.0-gallifrey.html#shellcode-compiler-open-sourced https://github.com/vector35/scc

Stop Saying "Responsible Disclosure"

https://www.da.vidbuchanan.co.uk/blog/responsible-disclosure.html

"Your work, no matter how brilliant, becomes valuable to others only in so far as you communicate it to them." -- Simon Peyton-Jones

[RSS] Microsoft spots zero-day use in spy campaign against Kurdish military in Iraq

https://therecord.media/microsoft-zero-day-spy-campaign

Have you ever wanted to stretch your poetry writing muscles in the direction of "bad"? How about "vogon"?!

Read about ZZ9 Plural Z Alpha's #TowelDay Vogon Poetry contest at https://zz9.org/news or just jump in and enter: https://zz9.org/contact

Win a ZZ9 membership today!

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti https://code-white.com/blog/ivanti-desktop-and-server-management/

I just realized that @ is a lower case anarchy symbol.

One of my co-founders went into a paid engagement yesterday and was noodling through a piece on how to prevent upstream teams from making changes to application database schemas that would break analytics pipelines.

They got the attention of the room and then said "one solution is a baseball bat".

There was a moment of uncomprehending silence and then they said "solve at the human layer".

[RSS] Open-source toolset of an Ivanti CSA attacker

https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker

[oss-security] Dropbear SSH 2025.88 fixes CVE-2025-47203

https://seclists.org/oss-sec/2025/q2/116

"Don't allow dbclient hostname arguments to be interpreted by the shell."

Sounds like fun on many embedded devices :) Original announcement:

https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html

[RSS] Dubious security vulnerability: A program does not run correctly if you run it the wrong way, redux

https://devblogs.microsoft.com/oldnewthing/20250512-00/?p=111174

Lulz...

"Impact: Muting the microphone during a FaceTime call may not result in audio being silenced"

@ https://support.apple.com/en-us/122404

CVE ID: CVE-2025-47729
Vendor: TeleMessage
Product: TM SGNL
Date Added: 2025-05-12
Vulnerability: TeleMessage TM SGNL Hidden Functionality Vulnerability
Notes: Apply mitigations per vendor instructions. Absent mitigating instructions from the vendor, discontinue use of the product. ; https://nvd.nist.gov/vuln/detail/CVE-2025-47729
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-47729

The ICAO Council has ruled that Russia is responsible for downing flight MH17, violating the Chicago Convention by using weapons against a civilian aircraft. 298 innocent lives were lost.

https://www.rijksoverheid.nl/ministeries/ministerie-van-buitenlandse-zaken/nieuws/2025/05/12/icao-raad-russische-federatie-verantwoordelijk-voor-neerhalen-van-vlucht-mh17

It's fruit update time.
https://support.apple.com/en-us/100100

This was a fun one :)

https://github.com/Binary-Gecko/ekoparty2024_challenge

There was a short period of time in history when people would unironically say "why are you asking me, go ahead and google it."
(See also: LMFGTFY)

And now we are going back to "for the love of god don't google it, ask an expert instead."

#AI #internet #DumbestTimeline

10 Burp extensions I actually use... BUT none of them are in the top 30 most popular in the BApp Store!

I get tired of seeing the same extensions come up in "top 10" lists. Here are some hidden gems you might not have tried... yet. In no particular order.

🧵👇