Notices by Will Dormann (wdormann@infosec.exchange), page 4

Me to Tend Micro ZDI:
Trend Micro Antivirus fails to detect viruses in a mounted VHD/VHDX file at all. You should probably fix this.

Trend Micro ZDI:

we are not interested in this vulnerability type.

This truly is a thankless job. 🤦♂️

Ah, lovely.
Between this and Mozilla recently admitting that they sell your personal data...

What browsers to folks use these days?

A different vendor (Broadcom):

We encourage finders to use encrypted communication channels to protect the confidentiality of vulnerability reports. Our PGP public key is available at the following link:

The PGP key:

Me to a major vendor, in a PGP-encrypted email (their request):
Describes vul in their software. Here's an animated GIF showing exploitation of the vul. Please let me know how I can get a large file to you so I can get the PoC to you.

Vendor (in cleartext): Please send us a GIF and the PoC.

Me: I already sent the GIF. Are you saying you didn't get it? Also, please tell me how to get a large file to you.

Vendor: We have not received the GIF. Please send us a PoC.

Me: table_fip.gif
I fully understand why people go the full disclosure route.

Twitter is blocking Signal links.

Rumor has it that the reason is that Signal is being used by federal workers to blow the whistle on DOGE.

Obviously I cannot confirm the rationale, but I can (and have) confirm that such links are indeed being blocked on Twitter.

https://www.disruptionist.com/p/elon-musks-x-blocks-links-to-signal

With the release of ICS 22.7R2.6, Ivanti has apparently discovered the value of compiling in exploit mitigations. (many of which have been around for 22 years)

With R2.6, the web server, despite still being 32-bit, has stack canaries, full relro, and some fortify.

Baby steps, I suppose...

For folks still running Ivanti stuff for some reason, you've got work to do.
Again.

CVE-2025-22467 is a CVSS 9.9 stack buffer overflow RCE.

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

The list of calendar entries that Google chose to remove from their calendar:
• Pride Month
• Black History Month
• Holocaust Remembrance Day
• Jewish Heritage
• Hispanic Heritage
• Indigenous People Month

HOLOCAUST. REMEMBRANCE. DAY.
😱

Apparently Google is just shitty.

No duress signal or anything here. Just trying to fit in by being shitty. 🤦♂️

Also, be careful:
If you were previously opted out of Apple Intelligence (because seriously, who wants this?), you may find that it's turned on after the upgrade.

You know the drill.
Update your fruit.
At least one of these (CVE-2025-24085) is being used by attackers in the wild.
https://support.apple.com/en-us/100100

The current White House:
Of course you can tell if a single-cell zygote is a male or not. We know what dudes are.

I can see what this is leading to, and it looks real grim.

About 10 years ago, I set up an automated system to test whether Android apps choose to bypass HTTPS security or not. Almost 24000 vulnerabilities later, I was... not impressed.

Just for lulz, I decided to test some iOS apps using a telephone and my fingers. Yes, the situation is much better than it was back then. No, I should not have been able to find over a dozen vulnerable apps by hand this easily.

@jschwart
LOL at the concept of explaining to an older person what a "web browser" let alone JavaScript is. 😂

Mom on her PC: Will never ever have the need to download an executable, script, or related from her web browser.
Me: Configures web browser accordingly.
Google Chrome: These sorts of extensions can be dangerous. We're going to disable it soon. For your safety.
🤦♂️

Here we go...

OK, I'll admit that 20 lbs of pre-dehydrated beef jerky doesn't really look too appetizing.
But I assure you, the final product is magical.

The man page for tune2fs is pretty clear about this capability.

The person who writes the data to the USB mass storage device can specify that both:
1) The OS that reads the device should panic if the filesystem has an error.
2) The filesystem has an error.

🤦♂️

Back when I was poking around with filesystem fuzzing stuff years back, I noticed something odd:

An EXT filesystem can tell the Linux OS how it should behave "if" the filesystem is corrupt, including triggering a kernel panic. In a world where USB thumb drives exist, this seems... not ideal.

Let's see what happens if we plug such a mass storage device into a fully patched Chromebook in 2024...

Oh.

@GossiTheDog