Notices by Mr. Bitterness (wdormann@infosec.exchange)

Microsoft:

As much as 30% of the company's code is written by AI.

Also Microsoft:
Somehow we managed to make it so that clicking the x in Task Manager doesn't close the app. Whoopsie daisy!

See also:
For a while, "Update and shut down" did not shut down the computer. It reboots it.
https://www.windowslatest.com/2025/11/02/update-and-shut-down-no-longer-restarts-pc-as-windows-11-25h2-patch-addresses-a-decades-old-bug/

A job done, folks.

I've noticed that Gmail is letting a pattern of spam messages through lately (maybe the past month or two?).

With the subject line of Delivery Status Notification (Failure) and then just a junk email body.

Just me? Is using a subject line of Delivery Status Notification (Failure) really all it takes to get past Gmail's spam filtering?

@GossiTheDog
Three clicks is a lot to expect, I suppose.

For some reason, people seem to be spun up about recent changes that allegedly force people to create Microsoft accounts during Windows 11 setup.

Except, nothing is being forced.
Windows 11 Pro or better:
Just do the usual:

1. Set up for work or school
2. Sign-in options
3. Domain join instead
4. Create local account.

Windows 11 Home:
Ok, fine. Microsoft has indeed removed the OOBE.CMD batch file. But you know what? You can run the command that a batch file runs without the batch file itself?
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f
Once you reboot, you'll have the I don't have internet link, where you can create a local account.

I approve.

NGL... Super Sauce tomatoes are kind of ridiculous.

I leave for vacation a week ago with Twitter down, and as I return it's (still/again/🤷♂️) down.
Great job, folks!

Please don't bother coming back.
KTHXBYE

Ooh, another of my NTFS vulnerabilities that I reported years ago was patched today. 🎉
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32707

I'm at a meeting hosted by somebody else where they're using Microsoft Teams, and in the chat I attempted to share an image that is on my laptop. By clicking the + button and Attach file.

The result of doing this is that Teams puts the image in MY COMPANY'S SHAREPOINT SERVER, and nobody else in Teams can see the image because they DON'T HAVE AN ACCOUNT on my company's SharePoint server. 🤦♂️

Wonders:
1) Has anybody at Microsoft actually tried using Teams?
2) Why do people choose to use Teams?

Aside: If you copy an image and press Cmd - V to put the image in the chat, Teams actually... puts the image in the chat.

It's fruit update time.
https://support.apple.com/en-us/100100

@deepthoughts10
No, Tamper Protection does nothing to stop this.

Neat way to disable Windows Defender (or possibly other AV products)...

Register a no-op AV product in the Windows Security Center (WSC). This action is protected by an NDA that AV vendors sign, and, well...

Anyway, yeah, admin users can do admin things. Don't forget that.

https://github.com/es3n1n/defendnot

Oh, what's that?
'NICIPConfigUpdateDeployment-1745511600265' is not valid?

Oh, let me put my Azure translation hat on. Ok, got it:

You have exceeded your limit of 10 publicly available IP addresses. Please first Disassociate the IP address and then delete it. Otherwise you will get another error message.

Boy, this hat is useful.
Just kidding. There's no such hat.
You need to trudge through things until you brute-force figure things out.

Time to go touch grass...

What's that?

The "Most used by Azure users" VM type that I picked isn't available?

You know what, instead of Go Fish, maybe tell me what I can use?

Edit: Azure Spot pricing apparently isn't a thing. No matter which Size + Region combination you choose, you'll get an error that says that the combo isn't available where you want it. 🤦♂️

What's that? I need to remove the number of data disks in my VM? Maybe tell me how to do this?

Ohhhh... You've selected an Azure VM image that requires more than 4 disks, and the VM type currently selected has only 4 disks? I'm no UI/UX expert, but maybe just TELL ME THIS?

If you create an ARM VM in Azure, beware that your "Recently used size" will be ARM, and as such you will not be able to create any preconfigured x64 VMs.

Because of course if your "Recently used size" is ARM, Microsoft will disable the ability to pick an x64 size. 🤦♂️

Yes, I had to create a sacrificial x84 VM in Azure to work around this. Once my recently used size was x64, I was able to pick any size that I wanted.

Now that I have a local copy of the Commvault VM so that I don't burn truckloads of Azure dollars, I can look at things at my leisure.

AND, it seems that the VM that I have is 11.38.25, which contains the fix for CVE-2025-34028.

EXCEPT the exploit for CVE-2025-34028 still works against it. 🤦♂️

Commvault claims that 11.38.20 and 11.38.25 fixes the watchTowr-reported CVE-2025-34028 vulnerability. (Aside: How is it even possible that two different versions in the same product line are the ones that fix a single vulnerability?) watchTowr discovered the bug in 11.38.20.

I trust watchTowr, so I don't believe Commvault's statement that 11.38.20 fixes the vulnerability that watchTowr found in 11.38.20.

I also trust the PoC that I just ran against 11.38.25, so I don't believe Commvault's statement that 11.38.25 fixes the vulnerability that watchTowr found in 11.38.20.

Yes, I have trust issues. 😕

After successfully touching grass and beginning to write up CVE-2025-34028...

CVE-2025-34028 is a path traversal vulnerability. And yes, the path traversal allows for an unauthenticated attacker to plant files in arbitrary locations. And presumably Commvault has fixed the path traversal part.

BUT, what about the fact that deployCCPackage() is reachable by design (by way of deployServiceCommcell.do being explicitly listed in authSkipRules.xml)?

Directory traversal aside, in what world does the ability for an unauthenticated client to deploy a Command Center package make sense, whatever that means? 🤔