cR0w
cR0wOh look, Adobe published theirs at a reasonable hour this month too. Which is good because there are a lot there. And it appears almost all of them are listed as sev:CRIT.
https://helpx.adobe.com/security/Home.html
#patchTuesday
cR0wOne of them lists the preview pane as an attack vector. Those are always fun.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53731
cR0wJK, there are more than the one sev:CRIT RCE that impact the preview pane.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53733
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53740
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53784
cR0wNine sev:CRIT RCEs though.
cR0wOne of them lists the preview pane as an attack vector. Those are always fun.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53731
cR0wMicrosoft patches are out. The only one listed as publicly disclosed is a PrivEsc in Kerberos ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779 ) and no EITW CVEs. I'm not saying I doubt them but I am definitely skeptical.
#patchTuesday
cR0wNine sev:CRIT RCEs though.
cR0wMicrosoft patches are out. The only one listed as publicly disclosed is a PrivEsc in Kerberos ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779 ) and no EITW CVEs. I'm not saying I doubt them but I am definitely skeptical.
#patchTuesday
cR0wCISA released seven ICS advisories for your CNI operators to ignore.
https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-releases-seven-industrial-control-systems-advisories
cR0wIntel published their August advisories. I like y'all but I'm not digging through all that for you.
https://www.intel.com/content/www/us/en/security-center/default.html
#patchTuesday
cR0wIt's 2025 right? I haven't gone back in time? Okay, just checking.
https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh
The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains.Actually, I shouldn't mock this. It appears to be a small project making an effort at protecting from such a stupid attack vector that doesn't need to exist. And they're up front about their own vulnerabilities. That's better than many projects out there so good for them. 🍻
cR0wSome of y'all in a few months.
cR0wIt's been a few months. Who's the lucky monkey?
cR0w@Dio9sys@haunted.computer nothing to see here dot gif
cR0wWhat breach? No new vulnerabilities have been exploited.What? Breach! No! New vulnerabilities have been exploited.