CVE-2024-28956: Xen Security Advisory 469 v2: x86: Indirect Target Selection https://www.openwall.com/lists/oss-security/2025/05/12/5
A bug in the hardware support for prediction-domain isolation. An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

https://bird.makeup/@vu5ec/1921973704948371486

"[Steam breach] debunked [...] source of it all is an AI company's LinkedIn post that itself looks AI made itself"

https://bsky.app/profile/tannerofthenorth.bsky.social/post/3lp572utm5c2c

h/t @neurovagrant

#fromBsky

What happens if a cosmic ray hits a voting machine?

In Belgium’s 2003 elections, a relatively unknown Communist Party candidate received 4096 extra votes…from a spontaneous bit inversion.

It was more votes than was mathematically possible at that polling station.

What if humanity forgot how to make CPUs? by @lauriewired

https://threadreaderapp.com/thread/1922015999118680495.html

Orbán’s Fidesz party proposes Russia-style crackdown on Hungary’s civil society

https://www.politico.eu/article/viktor-orban-fidesz-party-hungary-russia-democracy-transparency-public-life-civil-society/

The darkest times of my life in #Hungary.

[RSS] The cryptography behind passkeys

https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/

#whataweekhuh

[RSS] CVE-2025-32464 - Overflowing HAProxy regsub converter

https://codeanlabs.com/blog/research/cve-2025-32464-overflowing-haproxy-regsub-converter/

I think the most tragic aspect of deploying "AI" in teaching and learning situations is how much it pushes people into a situation of learned helplessness. This constant feeling of not knowing how to do a thing of being incapable of actually doing work on one's tasks is mentally so harmful. How do people under those conditions gain confidence in their abilities? Like ever?

kASLR Internals and Evolution by @r0keb

https://r0keb.github.io/posts/kASLR-Internals-and-Evolution/

Great news! The Pwnie awards nominations are now open!
https://pwnies.com/nominations/

"If all these big companies are shouting from the rooftops that AI is up to production code the money relies on, then zero open source contributions of substance is a glaring absence."

(Original title: If AI is so good at coding … where are the open source contributions?)

https://pivot-to-ai.com/2025/05/13/if-ai-is-so-good-at-coding-where-are-the-open-source-contributions/

This week’s exciting instalment of Security Vulnerabilities that would be deterministically mitigated by #CHERI is a multi-part series sponsored by #Apple.

Media decoders are trivial to sandbox on a CHERI system (around four lines of code). They take an input buffer and produce an output. They can run with write access to that output buffer and nothing else. An attacker who gains arbitrary-code execution in an image decoder, for example, gains the ability to write an image to the output buffer: exactly the same rights that someone who can substitute a different image file has already.

Adobe's patches are (finally) out. 13 bulletins addressing 40 CVEs in Cold Fusion, Lightroom, Dreamweaver, Connect, InDesign, Substance 3D Painter, Photoshop, Animate, Illustrator, Bridge, Dimension, Stager, & Modeler. The patch blog has been updated. https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review

Glad to report that with the previous round of fixes loadlibrary works with the latest, 64-bit Windows Defender engine (1.1.25030.1)

https://scrapco.de/blog/fuzzing-windows-defender-with-loadlibrary-in-2025.html

#PatchTuesday

In case you thought CTRL-F in chromium was useless... Microsoft has your back. https://www.neowin.net/news/microsoft-removes-a-lot-of-features-from-the-edge-browser/

Find on Page in Microsoft Edge for Business will soon be integrated with Microsoft 365 Copilot Chat. Microsoft Edge for Business is introducing Microsoft 365 Copilot Chat to Find on Page (CTRL+F). This feature seeks to help users more easily find relevant content and save time. Note: This is a controlled feature rollout. If you don't see this feature, check back as we continue our rollout.

While the #Adobe patches are still missing, the #Microsoft patch Tuesday rolls on with 5 0-days being exploited in the wild. Join @TheDustinChilds as he breaks down the release and calls out some familiar components. https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review

Pffft *spits coffee all over keyboard*

So apparently on #Linux, usernames starting with "0x" are interpreted as hex numbers under certain circumstances. 🤪 That seems like asking for trouble...

[oss-security] CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression

https://seclists.org/oss-sec/2025/q2/126

"malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it"

The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems https://euvd.enisa.europa.eu/

#security #infosec