Collaborate Disseminate
F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released …read more Continue reading This Week in Security: F5 Twitter PoC, Certifried, and Cloudflare Pages Pwned
DNS spoofing/poisoning is the attack discovered by [Dan Kaminski] back in 2008 that simply refuses to go away. This week a vulnerability was announced in the uClibc and uClibc-ng standard …read more Continue reading This Week in Security: uClibc and DNS Poisoning, Encryption is Hard, and the Goat
Despite their claims of innocence, we all know that the big tech firms are listening to us. How else to explain the sudden appearance of ads related to something we’ve …read more Continue reading Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool
Since Windows 11 has announced its TPM module requirement, the prices for previously abundant and underappreciated TPM add-on boards for PC motherboards have skyrocketed. We’ve been getting chips and soldering …read more Continue reading TPM Module Too Expensive? DIY Your Own Easily!
[aleaksah] got himself a Mi Smart Kettle Pro, a kettle with Bluetooth connectivity, and a smartphone app to go with it. Despite all the smarts, it couldn’t be turned on …read more Continue reading Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle
Over many years now we’ve covered right-to-repair stories, and among them has been a constant bête noire. The American farm machinery manufacturer John Deere whose instantly recognisable green and yellow …read more Continue reading For Once, The Long Arm Of John Deere Presses The Right Button
To start our week of vulnerabilities in everything, there’s a potentially big vulnerability in Android handsets, but it’s Apple’s fault. OK, maybe that’s a little harsh — Apple released the …read more Continue reading This Week in Security: Android and Linux, VirusTotal, More Psychic Signatures
[Daljeet Nandha] from [RoboCoffee] writes to us, sharing his research on cryptographic signature-based firmware authenticity checks recently added to the Xiaomi Mi scooter firmware. Those scooters use an OTA firmware …read more Continue reading Xiaomi Cryptographically Signs Scooter Firmware – What’s Next?
Java versions 15, 16, 17, and 18 (and maybe some older versions) have a big problem, ECDSA signature verification is totally broken. The story is a prime example of the …read more Continue reading This Week in Security: Java’s Psychic Signatures, AWS Escape, And a Nasty Windows Bug
OpenSSH has minted their 9.0 release, and it includes a pair of security changes. Unlike most of the releases we cover here, this one has security hardening to prevent issues, …read more Continue reading This Week in Security: OpenSSH, Git, and Sort-of NGINX 0-day