Here's an example of Google's AI reporting security vulnerabilities in this codec:

https://issuetracker.google.com/issues/440183164

We take security very seriously but at the same time is it really fair that trillion dollar corporations run AI to find security issues on people's hobby code? Then expect volunteers to fix.
https://bird.makeup/users/ffmpeg/statuses/1983949866725437791

Arguably the most brilliant engineer in FFmpeg left because of this. He reverse engineered dozens of codecs by hand as a volunteer.

Then security "researchers" and corporate employees came along repeatedly insisted "critical" security issues were fixed immediately waving their CVEs.

This was hugely demotivating to the fun and enjoyment of reverse engineering.
https://bird.makeup/users/ffmpeg/statuses/1978390935433097310

An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/

This week on #OpenSourceSecurity I talk to @ottok about his blog post about detecting an attack like xz in Debian

It's a fascinating conversation about a very complicated topic

There are things that could be detected, but this one would have been very very difficult

https://opensourcesecurity.io/2025/2025-11-xz-debian-otto/

[RSS] deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented Harnesses

https://github.com/purseclab/deepSURF

[RSS] Drawn to Danger: Windows Graphics Vulnerabilities Lead to Remote Code Execution and Memory Exposure

https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/

Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
https://portswigger-labs.net/mxss/

Set HTMLSanitizer ✅
Auto update ✅

I'm trying to break it, I encourage you to break it too

This year Binarly has also expanded their sponsorship to the creation of a new Firmware Security Learning Path! https://ost2.fyi/OST2_LP_FWSEC.pdf

This captures current and future plans for classes involving security in the deep-dark of firmware! But Binarly is starting to give visibility into what's going on there with their binary analysis platform.

It is decided, the final round of #BSidesVienna tickets will be in 7 days from now on Sunday 09.11.2025 at 7 pm. That is 19:00 o'clock Vienna time UTC+1!

CDE (proper CDE) and sysinfo.pl on Tribblix 0m37

Tribblix: http://www.tribblix.org/
sysinfo.pl: https://codeberg.org/int16h/sysinfo-pl

#RetroComputing #Tribblix #UNIX

A great quote from the book Autocracy Inc from Ann Applebaum, a recommended read. A good description of the atmosphere the Trump administration tries to create.
#trump #autocracy #applebaum

im trying to vibe code an ida plugin rn and its not going great folks

infosec has a lot to learn about understanding failure conditions and accurate, understandable error messages from roadies

Well done to this Redditor for explaining Remote Desktop.

Happy birthday to Vim! 🥳

#vim #opensource

A little interactive post on a little error in fuzzer evaluations: https://addisoncrump.info/research/metric-shenanigans/

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).

Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.

The root cause of this bug is the incorrect use of == to match the password hash:

if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )

The fix is to use === for the comparison.

This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php

#CVE_2025_47776 #infosec #cybersecurity

Anybody having problems with #Firefox version 144.0.2 with random domains failing due to cookies? An example error with eBay:

Cookie “ds2” has been rejected for invalid domain.
Cookie “ebay” has been rejected for invalid domain.

[RSS] Dubious security vulnerability: Denial of service by loading a very large file

https://devblogs.microsoft.com/oldnewthing/20251027-00/?p=111731

[RSS] exploits.club Weekly Newsletter 91 - Patch-gapping Browsers, Ubuntu LPEs, Bluetooth Int Underflows, And More

https://blog.exploits.club/exploits-club-weekly-newsletter-91-patch-gapping-browsers-ubuntu-lpes-bluetooth-int-underflows-and-more/

My clearest (and slightly frightening) measure of the passage of time is the weekly exploits.club newsletter.