Microsoft has published a patch-set for the Linux kernel, proposing the Hornet Linux Security Module (LSM). If you haven’t been keeping up with the kernel contributor scoreboard, Microsoft is #11 at time of writing and that might surprise you. The reality is that Microsoft’s biggest source of revenue is their cloud offering, and Azure is over half Linux, so Microsoft really is incentivized to make Linux better.

The Hornet LSM is all about more secure eBPF programs, which requires another aside: What is eBPF? First implemented in the Berkeley Packet Filter, it’s a virtual machine in the kernel, that allows executing programs in kernel space. It was quickly realized that this ability to run a script in kernel space was useful for far more than just filtering packets, and the extended Berkeley Packet Filter was born. eBPF is now used for load balancing, system auditing, security and intrusion detection, and lots more.

This unique ability to load scripts from user space into kernel space has made eBPF useful for malware and spyware applications, too. There is already a signature scheme to restrict eBPF programs, but Hornet allows for stricter checks and auditing. The patch is considered a Request For Comments (RFC), and points out that this existing protection may be subject to Time Of Check / Time Of Use (TOCTOU) attacks. It remains to be seen whether Hornet passes muster and lands in the upstream kernel.

Patch Tuesday

Linux obviously isn’t the only ongoing concern for Microsoft, and it’s the time of month to talk about patch Tuesday. There are 57 fixes that are considered vulnerabilities, and additional changes that are just classified internally as bug fixes. There were three of those vulnerabilities that were publicly known before the fix, and one of those was known to be actively used in attacks in the wild.

CVE-2025-62221 was an escalation of privilege flaw in the Windows Cloud Files Mini Filter Driver. In Windows, a minifilter is a kernel driver that attach to the file system software, to monitor or modify file operations. This flaw was a use-after-free that allowed a lesser-privileged attacker to gain SYSTEM privileges.

Gogs

Researchers at Wiz found an active exploitation campaign that uses CVE-2025-8110, a previously unknown vulnerability in Gogs. The GO Git Service, hence the name, is a self-hosted GitHub/GitLab alternative written in Go. It’s reasonably popular, with 1,400 of them exposed to the Internet.

The vulnerability was a bypass of CVE-2024-55947, a path traversal vulnerability that allowed a malicious user to upload files to arbitrary locations. That was fixed with Gogs 0.13.1, but the fix failed to account for symbolic links (symlinks). Namely, as far as the git protocol is concerned, symlinks are completely legal. The path traversal checking doesn’t check for symlinks during normal git access, so a symlink pointing outside the repository can easily be created. And then the HTTPS file API can be used to upload a file to that symlink, again allowing for arbitrary writes.

The active exploitation on this vulnerability is particularly widespread. Of the 1400 Gogs instances on the Internet, over 700 show signs of compromise, in the form of new repositories with randomized names. It’s possible that even more instances have been compromised, and the signs have been covered. The attack added a symlink to .git/config, and then overwriting that file with a new config that defines the sshCommand setting. After exploitation, a Supershell malware was installed, establishing ongoing remote control.

The most troubling element of this story is that the vulnerability was first discovered in the wild back in July and was reported to the Gogs project at that time. As of December 11, the vulnerability has not been fixed or acknowledged. After five months of exploitation without a patch, it seems time to acknowledge that Gogs is effectively unmaintained. There are a couple of active forks that don’t seem to be vulnerable to this attack; time to migrate.

Blinkenlights

There’s an old story I always considered apocryphal, that data could be extracted from the blinking lights of network equipment, leading to a few ISPs to boast that they covered all their LEDs with tape for security. While there may have been a bit of truth to that idea, it definitely served as inspiration for [Damien Cauquil] at Quarkslab, reverse engineering a very cheap smart watch.

The watches were €11.99  last Christmas, and a price point that cheap tickles the curiosity of nearly any hacker. What’s on the inside? What does the firmware look like? The micro-controller was by the JieLi brand, and it’s a bit obscure, with no good way to pull the firmware back off. With no leads there, [Damien] turned to the Android app and the Bluetooth Low Energy connection. One of the functions of the app is uploading custom watch dials. Which of course had to be tested by creating a custom watch face featuring a certain Rick Astley.

But those custom watch faces have a quirk. The format internally uses byte offsets, and the watch doesn’t check for that offset to be out of bounds. A ridiculous scheme was concocted to abuse this memory leak to push firmware bytes out as pixel data. It took a Raspberry Pi Pico sniffing the SPI bus to actually recover those bytes, but it worked! Quite the epic hack.

Bits and Bytes

Libpng has an out of bounds read vulnerability, that was just fixed in 1.6.52. What’s weird about this one is that the vulnerability is can be triggered by completely legitimate PNG images. The good news is that is vulnerability only effects the simplified API, so not every user of libpng is in the blast radius.

And finally, Google has pushed out an out-of-band update to Chrome, fixing a vulnerability that is being exploited in the wild. The Hacker News managed to connect the bug ID to a pull request in the LibANGLE library, a translation layer between OpenGL US calls into Direct3D, Vulkan, and Metal. The details there suggests the flaw is limited to the macOS platform, as the fix is in the metal renderer. Regardless, time to update!

This week Jonathan chats with K. S. Bhaskar about YottaDB. This very high performance database has some unique tricks! How does YottaDB run across multiple processes without a daemon? Why is it licensed AGPL, and how does that work with commercial deployments? Watch to find out!

• https://yottadb.com
• https://github.com/YottaDB/YDB

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

After a week away recovering from too much turkey and sweet potato casserole, we’re back for more security news! And if you need something to shake you out of that turkey-induced coma, React Server has a single request Remote Code Execution flaw in versions 19.0.1, 19.1.2, and 19.2.1.

The issue is insecure deserialization in the Flight protocol, as implemented right in React Server, and notably also used in Next.js. Those two organizations have both issued Security Advisories for CVSS 10.0 CVEs.

There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they haven’t already started.

Legal AI Breaks Attorney-Client Privilege

We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isn’t even in the AI agent this time.

The story starts with subdomain enumeration — the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?

Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.

JSON Formatting As A Service

The web is full of useful tools, and I’m sure we all use them from time to time. Or maybe I’m the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. I’m also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.

You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify don’t. Those URLs are short enough to enumerate — not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. It’s not hard to predict that JSON containing secrets were leaked through these sites.

And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Don’t upload your passwords to public sites.

Shai Hulud Rises Again

NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.

This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time we’ll see Shai Hulud causing problems.

Bits and Bytes

[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. It’s literally just /cgi-bin/popen.cgi?command=whoami to run code as root. That’s not the only issue here, as there’s also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.

Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.

What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.

This week Jonathan chats with Konstantinos Margaritis about SIMD programming. Why do these wide data instructions matter? What’s the state of Hyperscan, the project from Intel to power regex with SIMD? And what is Konstantinos’ connection to ARM’s SIMD approach? Watch to find out!

• VectorCamp:https://vectorcamp.gr
• SIMD Info: https://simd.info
• SIMD AI: https://simd.ai
• VSCode plugin: https://code.simd.info

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

This week Jonathan chats with Maurice Kalinowski about QT! That’s the framework that runs just about anywhere, making it easy to write cross-platform applications. What’s the connection with KDE? And how has this turned into a successful company? Watch to find out!

• https://www.qt.io/

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License