I am totally sure (sarcasm included) that #Google has totally overseen that their planned changes to their root program requirements will cause a lot of problems for mailserver owners like me who in future might run into weird problems with #Letsencrypt certificates for SMTP. I am sure that Google is absolutely not trying to make running your own mailserver even more complicated just to protect their gmail business. That would be totally not how Google thinks, amirite? https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

Detecting malicious Unicode in #curl

https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/

CISA Warns of #Google Chromium #ZeroDay Vulnerability CVE-2025-4664 Actively Exploited in the Wild affecting #Chrome, MS #Edge and Opera – Make sure to update your browser to the latest version today!
👇
https://cybersecuritynews.com/cisa-warns-of-google-chromium-vulnerability-actively-exploited-in-the-wild/

I wanted to end last year with a vm escape, took me a bit longer but I want to present you my latest public research:

A VM escape in Oracle VirtualBox using only one integer overflow bug!

This was fixed in April 15 and assigned CVE-2025-30712.

https://github.com/google/security-research/security/advisories/GHSA-qx2m-rcpc-v43v

A brief summary of Day One of #Pwn2Own Berlin 2025, featuring Sina Kheirkhah, STAR Labs SG, Wongi Lee of Theori, Marcin Wiązowski and more. #P2OBerlin

Project: golang/go https://github.com/golang/go
File: src/cmd/vendor/golang.org/x/arch/x86/x86asm/gnu.go:14 https://github.com/golang/go/blob/refs/tags/go1.23.4/src/cmd/vendor/golang.org/x/arch/x86/x86asm/gnu.go#L14

func GNUSyntax(inst Inst, pc uint64, symname SymLookup) string

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fvendor%2Fgolang.org%2Fx%2Farch%2Fx86%2Fx86asm%2Fgnu.go%23L14&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fvendor%2Fgolang.org%2Fx%2Farch%2Fx86%2Fx86asm%2Fgnu.go%23L14&colors=light

this ratelimiting stuff with GitHub makes me really think that MSFT might actually successfully kill their golden goose

trust arrives on foot and leaves on horseback, etc

Confirmed! Hyeonjin Choi of Out Of Bounds earns $15,000 for a third round win and 3 Master of Pwn Points by successfully using a type confusion bug to escalate privileges in #Windows11 #Pwn2Own #P2OBerlin

Those annoying “consent” cookie pop ups that Big Tech has been using as part of their malicious compliance efforts to convince you that data protection law in the EU is a nuisance?

Turns out they’re illegal.

https://www.iccl.ie/digital-data/eu-ruling-tracking-based-advertising-by-google-microsoft-amazon-x-across-europe-has-no-legal-basis/

#TCF #consent #data #privacy #EU #GDPR #BigTech #maliciousCompliance #SiliconValley #adtech #technoFascism

❓ ❓
🐱 🌵
#shapoart

New podcast is now live! This podcast episode goes over the career of pinkflawd, how she got into malware reversing, advice on being in the industry, how to deal with failures, and some exciting content about some interesting piece of malware she has analyzed !

https://www.buzzsprout.com/2400544/episodes/17145918-pinkflawd-malware-reverse-engineering

https://open.spotify.com/episode/4ln1X3zd6LqM3sm6rTI527?si=eT-ERmW1Q-GN7fLaoniMSg

Thank you so much to @pinkflawd for coming on and talking about her story. Hope you enjoy 🤩

Success! Hyeonjin Choi of Out Of Bounds targeting Microsoft Windows 11 wasted absolutely no time at all to successfully demonstrate his Local Escalation on #Windows11 - he is off in the disclosure room now! #Pwn2Own #P2OBerlin

After a dramatic pause in getting things setup Billy and Ramdhan of STAR Labs preformed a Docker Desktop escape to pop calc - and they are also now off to the disclosure room - good luck! #Pwn2Own #P2OBerlin

We have another collision - Viettel Cyber Security targeting NVIDIA Triton Inference Server successfully demonstrated their exploit - however it was known to the vendor, but not yet patched. They still earn $15,000 and 1.5 Master of Pwn Points #Pwn2Own #P2OBerlin

As expected, in his first #Pwn2Own attempt, Marcin Wiązowski showed of his Windows 11 privilege escalation. He went from a standard user SYSTEM in the blink of an eye. He's off to the disclosure room with his white paper of knowledge. #P2OBerlin

Sweet! Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Enterprise Linux. They head off to the disclosure room to cover the details of their exploit.

Coinbase filed an 8K with the SEC for a breach. They believe multiple insiders have sold customer information to a threat actor who is now extorting them.

It looks like a very significant breach as it includes customers passport scans.

https://www.sec.gov/ix?doc=/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm

#threatintel

With our first confirmation, our results blog is now live. We'll be updating this blog throughout the day with the latest results. https://www.zerodayinitiative.com/blog/2025/5/15/pwn2own-berlin-2025-day-one-results

We have a bug collision. Although Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) successfully demonstrated his exploit of #NVIDIA Triton, the bug he used was known by the vendor (but not patched). He still earns $15K and 1.5 Master of Pwn points.

Confirmed! Chen Le Qi of STARLabs SG combined a UAF and an integer overflow to escalate to SYSTEM on #Windows 11. He earns $30,000 and 3 Master of Pwn points. #Pwn2Own #P2OBerlin