1 hour of sleep, 2 energy drinks in.
I blame UEFI Forum for this

The official @Defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! https://www.youtube.com/watch?v=PUCyExOr3sE

I'm looking for publicly available reverse engineered program databases (idb, gpr, bndb, ... ), preferably for relatively small programs.

Any tips?

#ReverseEngineering

Serious bugs often occur in third-party components integrated by other software. Ivan Fratric and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click.

Integrators should update today!

https://project-zero.issues.chromium.org/issues/428075495

Hi there! This is #nakeddiefriday again!

Today I'd like to present you one of frequent sources of pain for C64 owners, the infamous PLA. This is MOS 7700R2. They failed way too often, and considering this is custom silicon, the only option was to get another one of the same.

Many thanks to @root42 for providing this sample!

SiPron link: https://siliconprawn.org/archive/doku.php?id=infosecdj:mos:7700r2

#electronics #reverseengineering #retrocomputing

New Project Zero issue:

Dolby Unified Decoder: Out of bounds write in evolution parsing

https://project-zero.issues.chromium.org/issues/428075495

CVE-2025-54957

How I Reversed Amazon's Kindle Web Obfuscation Because Their App Sucked https://blog.pixelmelt.dev/kindle-web-drm/

My OBTS v8 slides for Apple Compressor (part of Final Cut Pro) unauthenticated LAN RCE. No CVE? Because it’s not patched…🫣

https://github.com/ChiChou/slides/blob/b737cc3037408221217d59c8fc6b8a82706b7062/Queen%20B%200-click%20RCE%20for%20Apple%20Compressor.pdf

[RSS] Denial of Fuzzing: Rust in the Windows kernel

https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/

"Which of course makes perfect sense when you are in the business of breaking stuff so people have to pay you for fixing it."

This is an old article, but this one sentence explains so many things!

https://dzone.com/articles/why-you-should-avoid-jsf

[RSS] exploits.club Weekly Newsletter 89 - iOS GPU Driver Bugs, Kernel Stack UAFs, Hardware Wallet Auth Bypasses, and More

https://blog.exploits.club/exploits-club-weekly-newsletter-89-ios-gpu-driver-bugs-kernel-stack-uafs-hardware-wallet-auth-bypasses-and-more/

CVE-2025-6554: The (rabbit) Hole

https://retr0.zip/blog/cve-2025-6554-the-rabbit-hole.html

So this October 2025 F5 security notification is pretty wild because of the sheer volume of vulnerabilities disclosed: more than 30 high-severity CVEs (!) and around a dozen medium-severity ones in a single release cycle. This affects almost every F5 product family, BIG-IP (all modules), BIG-IP Next, F5OS, and related components. Something we don’t see very often... and a lot of these vulnerabilities score above 8.0; remote exploitation, denial-of-service or privilege escalation. Also, the number of affected software branches (from 15.x through 17.x) means most F5 deployments are touched in some way. YMMV.
In short, this quarter’s bulletin is probably F5’s heaviest security updates ever. If you run F5 products, patch now. https://my.f5.com/manage/s/article/K000156572

[RSS] I remember taking a screen shot of a video, and when I opened it in Paint, the video was playing in it! What witchcraft is this?

https://devblogs.microsoft.com/oldnewthing/20251014-00/?p=111681

yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - watchTowr Labs https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/

With the AI-bubble looking close to bursting, here I present a pre-mortem, in which I state that much of AI is simultaneously mega-impressive and still mostly useless. The collapse of the bubble does not mean the technology will go away, however. Also, there are extremely useful AI applications already that we should not lose sight of once we are post-collapse. Plus some thoughts on 'intelligence' & evolution:
https://berthub.eu/articles/posts/an-ai-premortem/

Ever wondered how virtual machines talk to their host without relying on traditional networking?
Meet vsock (Virtual Socket) - the Linux kernel’s built-in communication layer for blazing-fast, low-latency host ↔ guest interaction.
Unlike TCP/IP, vsock skips the network stack entirely and works directly over the hypervisor, making it perfect for control channels, telemetry, and secure VM management in QEMU/KVM, VMware, and Hyper-V environments.
Read our full technical breakdown: https://ssd-disclosure.com/an-introduction-to-chrome-exploitation-webassembly-edition-2/

Windows ARM64 Internals: Deconstructing Pointer Authentication | Prelude
https://www.preludesecurity.com/blog/windows-arm64-internals-deconstructing-pointer-authentication

Depicting an iOS Vulnerability – DFSEC Research
https://blog.dfsec.com/ios/2025/10/14/Depicting-an-iOS-Vulnerability/