COMPART/NICKDR.GIF

Hacker pro tip:

If you get someone's creds and try to attach to their Entra account, maybe change the user agent string to something other than 'AADInternals'.

Join @vulncheck next week for our new In the Wild webcast series! This month, our research team will do a deep dive on developing an exploit for Gladinet Triofox CVE-2025-12480, a process that wound up being significantly more complex than expected.

Wednesday, Jan. 28 @ 1 PM ET (and the last Wednesday of every month!)

https://wwv.vulncheck.com/in-the-wild-with-vulncheck-webinar-series

When you get a screenshot of an individual window in Windows, using either Alt + PrtScn or the fancy new Snipping Tool, you also capture the contents of whatever is behind the window around the edges.

Linux doesn't do this.
macOS doesn't do this.
Just Windows.

Why are expectations for how Windows works so low?
Or has Microsoft crafted a world where they are not required to care?

CVE-2025-56005 - If you pass untrusted data in the `run_this_code` parameter of bar() of library foo then untrusted code gets executed. This is a vulnerability, because it's not documented that `run_this_code` will run code.

Developer resigned:
https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a

#cve #slop #FOSS

I took a slip from my tea mug. It wasn't the rum I expected.

I'm deeply disappointed.

Have we considered suggesting DNS-over-ChatGPT yet?

With TikTok now going to be owned by Larry Ellison and Emerati MGX/G42, the concerns about it being used as a government propaganda machine really are totally put to rest. Phew!

(My hope remains that this move will ruin the product and the kids will move on.)

Microsoft is handing over Bitlocker keys to law enforcement. https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

[RSS] Firefox / WebRTC Encoded Transforms: UAF via undetached ArrayBuffer / CVE-2025-1432

https://aisle.com/blog/firefox-webrtc-encoded-transforms-uaf-via-undetached-arraybuffer-cve-2025-14321

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

[RSS] Dead Ends, Red Herrings, and Failures In Our Time

https://www.hoyahaxa.com/2026/01/dead-ends-red-herrings-and-failures-in.html

(ColdFusion research #fail)

[RSS] Pwn2Own Automotive 2026 - Day Three Results and the Master of Pwn

https://www.thezdi.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn

90% of the time you don’t need a DevOps guy.

You need a C++ guy, a SQL guy, and one fat server with a lot of ram.

StackOverflow used to run on *one* SQL Server with a hot spare.

Peaked Alexa Rank #36, 10+ Million visits a day.

[LWN] Responses to gpg.fail

https://lwn.net/SubscriberLink/1054220/c6f98b90a009fca2/

Rust 1.93.0 now provides much more helpful error messages when associated types miss lifetimes:

Thanks again to @ekuber for picking up my original report:

https://github.com/mainmatter/100-exercises-to-learn-rust/issues/245

[RSS] Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

Rust 1.93.0 has been released! 🌈 🦀✨

This release includes a new musl version for the *-linux-musl targets, adds support for #​[cfg] inside asm!(), and adds [T]::as_array, VecDeque::{pop_front_if, pop_back_if}, Vec/String::into_raw_parts, fmt::form_fn, and more! ✨

Check out the blog post and release notes for all the details: https://blog.rust-lang.org/2026/01/22/Rust-1.93.0/

JWT {"alg": "let-me-innnnn"} vuln

https://pentesterlab.com/blog/cve-2026-23993-harbourjwt-unknown-alg-jwt-bypass

TEE security breaks down in predictable ways. In our December webinar, we showed exactly where.
Jules Drean from Tinfoil walked through their threat model, covering repositories, hardware configurations, and CVM images. Our security engineers, Paul Bottinelli and Tjaden Hess, dug into vulnerabilities they've found in production TEE deployments.

Watch the full recording: https://watch.getcontrast.io/register/trail-of-bits-top-tee-bugs-you-should-fix-before-your-audit?utm_source=socials