Rich Warren

So nice they patched it thrice

'previewme.doc' looks like some kind of RedTeam exercise by @buffaloverflow CVE-2026-21509 exploit. bazaar.abuse.ch/sample/f0d4430…

@HaifeiLi ODT config that works without auto update :) gist.github.com/rxwx/0b9eadc68…

A quick update for hunting the CVE-2026-21509 0day sample.. Weird (and good) stuff! - my EXPMON system has an existing Indicator Logic specifically detecting "shellexplorer" (the same {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, "shellexplorer" is the progid name) OLE/COM/ActiveX object, which is the key to look for potential CVE-2026-21509 0day! And I have forgotten why I wrote that detection logic in the first place, really..😅 But anyway, if you spot a sample which was detected with such an Indicator on @EXPMON_ , then it could be a very good candidate! See this example pub.expmon.com/analysis/31153…, the Indicator's name is "activex compatibility shellexplorer registry key accessed". Please note that even the sample is not detected ("Undetected"), as long as it's detected w/ such Indicator, it could still be the 0day. You then test in an unpatched env to see what's going on. Please note that you should not connect your testing VM to the Internet because once you connect to the Internet Office will get patched automatically with some server-side configuration which is already deployed according to Microsoft's advisory. Or, you can let me know your submission, I have a VM ready for testing. Happy hunting! :)

@mkolsek @HaifeiLi @EXPMON_ @yorickkoster Yep!

@buffaloverflow @HaifeiLi @EXPMON_ @yorickkoster The Jan 26 update blocks this, right?

With the CLSID "{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}" disclosed, I think it's not very hard to create the sample myself, or someone want to save me time by sending me one? I want to test the @EXPMON_ system.:)

@mkolsek @HaifeiLi @EXPMON_ @yorickkoster this trick still works on Word 2019 (10417.20080). No idea if it's actually the security feature bypass they patched, but this does actually work in preview pane.. so ..🤷‍♂️

@HaifeiLi @EXPMON_ @yorickkoster But CVE-2026-21509 could be a patch bypass for the @yorickkoster's issue. This would warrant an out of band patch if exploited.

A CheckPoint Harmony priv esc that @buffaloverflow and I found last year: blog.amberwolf.com/blog/2026/janu…

@_xpn_ 💯 I felt the same when I saw it earlier. It’s sad to see the monetisation of outrage seep through into the infosec TL, but good to call out this shitty behaviour

@buffaloverflow Winds me up, and I know I’m doing worse by retweeting, but hopefully calling out this BS first time stops any others from thinking it’s a good idea :/

Using a researcher for clout and spreading hate... fucking BOO THESE GUYS! What a shitty and misjudged thing to do! Keep on going Joe, we love your work and talent!

Zero Trust is not a product it is an approach - at the @NCSC we have just released demystifying zero trust which addresses common misconceptions, and provides practical advice on when and how it should be adopted. ncsc.gov.uk/collection/zer…

@cyb3rops Probably an eula violation so you shouldn’t do it, but as a point of interest MS ship a big list of “FriendlyFile” hashes in Defender’s vdm db #threat_begin--threat_end" target="_blank" rel="nofollow noopener">github.com/commial/experi…

1 TB of diverse malware - trivial. 1 TB of truly diverse goodware - now that’s the challenge.

@irsdl Haha thanks 😆 Unfortunately readme\.md was taken but I like your interpretation!

@buffaloverflow I just noticed the domain name. Read/write mighty documents!! Good one 🚒

I made a website that lets you generate VBA macro docs in your browser (using rust+wasm!): vba.rw.md ^just for fun, inb4 "motw kills macros" etc. 😅

@domchell @OutflankNL @MDSecLabs Hah, thanks - enjoyed it! Who knew offsec could be controversial 😜😇

@buffaloverflow @OutflankNL @MDSecLabs Great to have you again mate and thanks for the awesome talk + hot takes on the panel! 🙌

Had an awesome time at RedTreat. Thanks to the @OutflankNL and @MDSecLabs crew for organising, and all the speakers and attendees for the cool talks and discussions! 🏝️👏

@domchell @irsdl 🤣🤣 maybe I should! Attack vector: time and patience

@buffaloverflow @irsdl Have you asked for a CVE?

Playing the long game

@irsdl True, sometimes bugs just find you 😅

@buffaloverflow "Accident" happens every day!

@irsdl A funny but ironic accident, good spot though! 😆

@buffaloverflow You did well here, I envy you!

@irsdl Does this count as second order stored XSS? 😅

Visiting NCC Group’s blogs right now feels like a CTF challenge: decipher the mangled text while dodging XSS pop-ups. Better to use web archive to see the original content but they have even changed the URLs! Example: nccgroup.com/research-blog/… The fox-it.com etc are also the same. My blog posts there are all ruined for sure which is a shame. I have to repost them all in my own blog.