[RSS] CVE-2025-32464 - Overflowing HAProxy regsub converter

https://codeanlabs.com/blog/research/cve-2025-32464-overflowing-haproxy-regsub-converter/

I think the most tragic aspect of deploying "AI" in teaching and learning situations is how much it pushes people into a situation of learned helplessness. This constant feeling of not knowing how to do a thing of being incapable of actually doing work on one's tasks is mentally so harmful. How do people under those conditions gain confidence in their abilities? Like ever?

kASLR Internals and Evolution by @r0keb

https://r0keb.github.io/posts/kASLR-Internals-and-Evolution/

Great news! The Pwnie awards nominations are now open!
https://pwnies.com/nominations/

"If all these big companies are shouting from the rooftops that AI is up to production code the money relies on, then zero open source contributions of substance is a glaring absence."

(Original title: If AI is so good at coding … where are the open source contributions?)

https://pivot-to-ai.com/2025/05/13/if-ai-is-so-good-at-coding-where-are-the-open-source-contributions/

This week’s exciting instalment of Security Vulnerabilities that would be deterministically mitigated by #CHERI is a multi-part series sponsored by #Apple.

Media decoders are trivial to sandbox on a CHERI system (around four lines of code). They take an input buffer and produce an output. They can run with write access to that output buffer and nothing else. An attacker who gains arbitrary-code execution in an image decoder, for example, gains the ability to write an image to the output buffer: exactly the same rights that someone who can substitute a different image file has already.

Adobe's patches are (finally) out. 13 bulletins addressing 40 CVEs in Cold Fusion, Lightroom, Dreamweaver, Connect, InDesign, Substance 3D Painter, Photoshop, Animate, Illustrator, Bridge, Dimension, Stager, & Modeler. The patch blog has been updated. https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review

Glad to report that with the previous round of fixes loadlibrary works with the latest, 64-bit Windows Defender engine (1.1.25030.1)

https://scrapco.de/blog/fuzzing-windows-defender-with-loadlibrary-in-2025.html

#PatchTuesday

In case you thought CTRL-F in chromium was useless... Microsoft has your back. https://www.neowin.net/news/microsoft-removes-a-lot-of-features-from-the-edge-browser/

Find on Page in Microsoft Edge for Business will soon be integrated with Microsoft 365 Copilot Chat. Microsoft Edge for Business is introducing Microsoft 365 Copilot Chat to Find on Page (CTRL+F). This feature seeks to help users more easily find relevant content and save time. Note: This is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.

While the #Adobe patches are still missing, the #Microsoft patch Tuesday rolls on with 5 0-days being exploited in the wild. Join @TheDustinChilds as he breaks down the release and calls out some familiar components. https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review

Pffft *spits coffee all over keyboard*

So apparently on #Linux, usernames starting with "0x" are interpreted as hex numbers under certain circumstances. 🤪 That seems like asking for trouble...

[oss-security] CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression

https://seclists.org/oss-sec/2025/q2/126

"malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it"

The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems https://euvd.enisa.europa.eu/

#security #infosec

A helpful PoC for Dropbear CVE-2025-47203 dropped on oss-security:

https://seclists.org/oss-sec/2025/q2/123

`dbclient 'localhost,|touch 123 '`

I'm at a meeting hosted by somebody else where they're using Microsoft Teams, and in the chat I attempted to share an image that is on my laptop. By clicking the + button and Attach file.

The result of doing this is that Teams puts the image in MY COMPANY'S SHAREPOINT SERVER, and nobody else in Teams can see the image because they DON'T HAVE AN ACCOUNT on my company's SharePoint server. 🤦‍♂️

Wonders:
1) Has anybody at Microsoft actually tried using Teams?
2) Why do people choose to use Teams?

Aside: If you copy an image and press Cmd - V to put the image in the chat, Teams actually... puts the image in the chat.

With 5.0, we’re open sourcing one of the oldest components of Binary Ninja: the Shellcode Compiler. It’s powered countless Compile C Source dialogs over the years, and now it’s yours to tinker with. Long term, we’re eyeing LLVM as a modern replacement. https://binary.ninja/2025/04/23/5.0-gallifrey.html#shellcode-compiler-open-sourced https://github.com/vector35/scc

Stop Saying "Responsible Disclosure"

https://www.da.vidbuchanan.co.uk/blog/responsible-disclosure.html

"Your work, no matter how brilliant, becomes valuable to others only in so far as you communicate it to them." -- Simon Peyton-Jones

[RSS] Microsoft spots zero-day use in spy campaign against Kurdish military in Iraq

https://therecord.media/microsoft-zero-day-spy-campaign

Have you ever wanted to stretch your poetry writing muscles in the direction of "bad"? How about "vogon"?!

Read about ZZ9 Plural Z Alpha's #TowelDay Vogon Poetry contest at https://zz9.org/news or just jump in and enter: https://zz9.org/contact

Win a ZZ9 membership today!