Hacker News with Generative AI: Vulnerability

MS's patch for symlink vulnerability introduces another symlink vulnerability (doublepulsar.com)
Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder.

Security, Microsoft, Vulnerability, Symlinks

8 points by croes 2 days ago | 0 comments

What the Critical Erlang SSH Vulnerability Means for Elixir Developers (paraxial.io)
CVE-2025-32433, an Unauthenticated Remote Code Execution in Erlang/OTP SSH was announced yesterday.

Security, Erlang, Elixir, Programming Languages, Vulnerability

4 points by realcorvus 9 days ago | 0 comments

Over 16,000 Fortinet devices compromised with symlink backdoor (bleepingcomputer.com)
Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.

Cybersecurity, Fortinet, Vulnerability, Backdoors

8 points by gnabgib 9 days ago | 0 comments

Recently I was targeted by an sophisticated (Google) phishing attack (threadreaderapp.com)
Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got:

Phishing, Google, Security, Vulnerability

5 points by mikexstudios 10 days ago | 1 comments

Microsoft fixes 124 flaws, including one under active exploitation (scworld.com)
Microsoft is experiencing a busy spring as it delivered 124 security vulnerability fixes to administrators in the latest edition of its Update Tuesday security release schedule.

Security, Software, Microsoft, Vulnerability, Patching

10 points by LinuxBender 16 days ago | 1 comments

One Bug Wasn't Enough: Escalating Twice Through SAP's Setuid Landscape (anvilsecure.com)
It's not every day you get a chance to one-up your CTO and co-founder of the company you work for. In 2020, Vincent Berg published a blog post describing a vulnerability he found affecting an SAP setuid binary while preparing for a client project. Combined with an insecure NFS configuration, he was able to compromise a dozen UNIX machines during that client engagement.

Security, Software, Vulnerability, SAP

73 points by tlxio 17 days ago | 9 comments

Max severity RCE flaw discovered in widely used Apache Parquet (bleepingcomputer.com)
A maximum severity remote code execution (RCE) vulnerability has been discovered impacting all versions of Apache Parquet up to and including 1.15.0.

Security, Apache Parquet, Vulnerability

174 points by andy99 19 days ago | 78 comments

Linux Kernel Defence Map – Security Hardening Concepts (github.com/a13xp0p0v)
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies

Linux, Security, Kernel, Vulnerability, Defense

158 points by transpute 20 days ago | 20 comments

Atop 2.11 heap problems (openwall.com)
CVE-2025-31160 Atop 2.11 heap problems

Security, Software, Vulnerability

170 points by baggy_trough 27 days ago | 81 comments

Mozilla warns Windows users of critical Firefox sandbox escape flaw (bleepingcomputer.com)
Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems.

Security, Firefox, Windows, Software, Vulnerability

6 points by akyuu 29 days ago | 2 comments

Ungovernable, Capricious Life (nybooks.com)
The sense of vulnerability is crushing, but it is also one of the characteristics Kureishi reveals about himself that makes him so likable here, and the writing so intimate.

Vulnerability, Writing, Biography, Literature, Personal Essays

6 points by mitchbob 32 days ago | 7 comments

As an engineer, I'd rather be called stupid than stay silent (shiftmag.dev)
Letting myself be vulnerable and ask stupid questions actually helped me grow in my engineering career.

Engineering, Vulnerability, Growth, Communication

41 points by codeman001 37 days ago | 14 comments

CVE-2024-9956 – PassKey Account Takeover in All Mobile Browsers (mastersplinter.work)
In this blogpost I will go over a vulnerability I found in all major mobile browsers that allowed an attacker within Bluetooth range to take over PassKeys accounts by triggering FIDO:/ intents.

Security, Mobile Browsers, Vulnerability, Bluetooth

243 points by rbanffy 38 days ago | 116 comments

CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (openwall.com)
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.

Security, Software, Vulnerability, FreeType

6 points by mmsc 44 days ago | 1 comments

Vulnerability in partner.microsoft.com allows unauthenticated access (nist.gov)
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

Cybersecurity, Microsoft, Vulnerability

18 points by speckx 52 days ago | 0 comments

Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China [pdf] (gfw.report)

Cybersecurity, China, Vulnerability, Network Security

10 points by luu 52 days ago | 0 comments

I hacked my company's SSO provider (mattsayar.com)
I never thought I'd stumble across a previously-undiscovered vulnerability, much less one in security software.

Security, Hacking, Software, Vulnerability

20 points by MattSayar 53 days ago | 6 comments

Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China (gfw.report)
We present Wallbleed, a buffer over-read vulnerability that existed in the DNS injection subsystem of the Great Firewall of China.

Security, China, Network Security, Vulnerability

14 points by complexpass 54 days ago | 0 comments

How to gain code execution on hundreds of millions of people and popular apps (kibty.town)

Security, Hacking, Software, Vulnerability, Code Execution

1156 points by xyzeva 56 days ago | 319 comments

Musl Libc: input-controlled out-of-bounds write primitive in iconv (openwall.com)
A vulnerability has been identified in musl libc's implementation of iconv that can result in out-of-bounds memory writes in applications which process untrusted input using iconv and where the input charset for the conversion is input-controlled.

Security, Software, Vulnerability, Linux

7 points by sgammon 57 days ago | 0 comments

MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (marc.info)
We discovered two vulnerabilities in OpenSSH:

Security, OpenSSH, Vulnerability

6 points by birdculture 66 days ago | 0 comments

Juniper Networks Routers API Authentication Bypass Vulnerability (juniper.net)
Loading×Sorry to interruptCSS ErrorRefresh

Cybersecurity, Network Security, Vulnerability, Juniper Networks, Routers

3 points by zdw 66 days ago | 0 comments

CVE-2025-26519: musl Libc: input-controlled out-of-bounds write (openwall.com)
A vulnerability has been identified in musl libc's implementation of iconv that can result in out-of-bounds memory writes in applications which process untrusted input using iconv and where the input charset for the conversion is input-controlled.

Security, Software, Vulnerability, Linux

12 points by fossdd 71 days ago | 1 comments

Router maker Zyxel tells customers to replace vulnerable hardware (techcrunch.com)
Taiwanese hardware maker Zyxel says it has no plans to release a patch for two actively exploited vulnerabilities affecting potentially thousands of customers.

Cybersecurity, Hardware, Vulnerability, Taiwan

4 points by impish9208 80 days ago | 1 comments

AMD: Microcode Signature Verification Vulnerability (github.com/google)
Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates.

Security, AMD, CPU, Microcode, Vulnerability

287 points by todsacerdoti 81 days ago | 105 comments

Yubico Issues Security Advisory as 2FA Bypass Vulnerability Confirmed (forbes.com)
Two-factor authentication has increasingly become a security essential over recent years, so when news of anything that can bypass those 2FA protections breaks, it’s not something you can ignore.

Security, Two-Factor Authentication, Cybersecurity, Vulnerability

10 points by Fishkins 98 days ago | 0 comments

Apache fixes Traffic Control bug that attackers could exploit (scworld.com)
Apache’s maintainers on Dec. 23 released patches for a critical 9.9 vulnerability in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1.

Security, Apache, Software, Vulnerability

14 points by LinuxBender 120 days ago | 1 comments

OpenOffice security issues unfixed in over 365 days, security status Amber (apache.org)
This was extracted (@ 2024-12-18 21:10) from a list of minutes which have been approved by the Board. Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

Cybersecurity, Apache, Software Security, Vulnerability

8 points by mksaunders2 121 days ago | 3 comments

Critical Apache Struts bug under active exploit (theregister.com)
A critical security hole in Apache Struts 2 – patched last week – is currently being exploited using publicly available proof-of-concept (PoC) code.