Last week, I gave a talk on web browser security research at a student-organized conference. I tried to make the talk reasonably beginner-friendly, so the slides (linked here) could hopefully be useful to someone as a learning resource. https://docs.google.com/presentation/d/1rEPiqV0KBHAI0lVym283OHzYRXNCCuGudmDby1Z1qyc/edit?usp=sharing

Scumbag Google is at it again and introduces delays when loading a video on YouTube with an active ad blocker. With a nice litter banner on the lower left saying "Experiencing interruptions? Here's why!" with a link to a page telling you to disable ad blockers.

Guess what, you pissheads! It's still faster and less annoying to wait for the delay than actually watching the ads.

I finally found the perfect bug to play with wrapwrap and get RCE on Monero forums

After that, very classic exploitation steps. The only twist is that I didn't expect Laravel to unserialize() session cookies when the session driver is set to Redis (at least this version).

https://swap.gs/posts/monero-forums/

#php

This Video Can #Exploit Your #iPhone (CVE-2025-31200)

https://www.youtube.com/watch?v=nTO3TRBW00E

Besides the clickbaity title, this video is actually a simple and fun initial analysis of the #1day in question.

As a side note, I started watching it on a device with no #adblocker and damn, YouTube has become so annoying and utterly unusable 😠

CVE ID: CVE-2025-24016
Vendor: Wazuh
Product: Wazuh Server
Date Added: 2025-06-10
Notes: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-24016

Apparently, if you have facebook or Instagram installed on your phone, #Meta was able to track your browsing habits and link them to your real identity even if you never logged in on the web, used incognito mode or a VPN. I hope Meta gets hit with every fine in the book.

https://www.zeropartydata.es/p/localhost-tracking-explained-it-could

#Hydroph0bia (CVE-2025-4275) - a trivial #SecureBoot bypass for UEFI-compatible firmware based on Insyde #H2O, part 1

https://coderush.me/hydroph0bia-part1/

With the Kagi for Libraries program, we'll offer free access to Kagi for public library patrons worldwide 📚

If your library is interested or you know a local public library that could benefit, encourage them to apply and help us expand this program:

https://kagi.com/libraries

#Kagi #Search #Libraries

It's a mild release from #Microsoft and a record-breaking release from #Adobe. There's a single 0-day to deal with in WEBDAV and, as always, a few deployment challenges. @TheDustinChilds provides all the details at
https://www.zerodayinitiative.com/blog/2025/6/10/the-june-2025-security-update-review

Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them.

https://arstechnica.com/security/2025/06/unearthed-in-the-wild-2-secure-boot-exploits-microsoft-patches-only-1-of-them/

This was a fun one to discover!
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:

@SonarResearch https://infosec.exchange/@SonarResearch/114659742648728633

Terrific summary of Linux process injection techniques https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection

I've published my 8086 CPU Test suite for emulators.

It contains 646,000 single-step opcode executions with initial and final register and memory states.

https://github.com/SingleStepTests/8086