Zerosquare (./36295) :Et c'est ainsi que j'ai pu récupérer un combo canon aux poubelles de mon immeuble. Le truc était nickel, il manquait juste des cartouches d'encre.Canon sued for disabling scanner when printers run out of inkBleepingComputerCanon USA is being sued for not allowing owners of certain printers to use the scanner or faxing functions if they run out of ink.
(Sound On) Confirmed! The team from @FSecureLabs used a stack-based buffer overflow to take over an HP LaserJet and turn it into a jukebox. Their efforts earn them $20,000 and 2 Master of Pwn points. #Pwn2Own https://t.co/3kqn5Cr7Y4
— Zero Day Initiative (@thezdi) November 4, 2021
https://old.reddit.com/r/GooglePixel/comments/r4xz1f/pixel_prevented_me_from_calling_911/ :
I had to call an ambulance for the grandmother on Friday as she appeared to be having a stroke. I got off a phone call with my mom, and proceeded to dial 911 just by typing and calling on my pixel. My phone got stuck immediately after one ring and I was unable to do anything other than click through apps with an emergency phone call running in the background. This is all while the phone informed me that it had sent my location to emergency services. Sadly I couldn't tell the person on the other end what apartment I was in, or what the actual emergency was as I was unable to speak to a human.
As my phone had clearly just been working from a phone call perspective, my best guess is the extra step of trying to send my location caused it to freeze. It then prevented me from hanging up and trying to call any phone number again. Luckily my grandmother is of the generation that still has a land line, otherwise I would have had to restart my phone, wait for a reboot, and then attempt to call emergency services so they could get people over asap.
https://old.reddit.com/r/GooglePixel/comments/r4xz1f/pixel_prevented_me_from_calling_911/hnrvsr1/
Based on our investigation we have been able to reproduce the issue under a limited set of circumstances. We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system. Because this issue impacts emergency calling, both Google and Microsoft are heavily prioritizing the issue, and we expect a Microsoft Teams app update to be rolled out soon – as always we suggest users keep an eye out for app updates to ensure they are running the latest version. We will also be providing an Android platform update to the Android ecosystem on January 4.
Since September 2021, police officers in York Region alone have investigated five incidents where suspects used AirTags in thefts of high-end vehicles. Thieves target any particularly valuable vehicles they find in public places and parking lots, placing an AirTag in an out-of-sight area, such as in the tow hitch or fuel cap, in the hope that it will not be discovered by the car's owner.
We already have our first 0-day on Mars and we’ve not even set foot there yet 🤦♂️ https://t.co/qAYWG22mhO
— Scott Helme (@Scott_Helme) December 11, 2021
Zerosquare (./36317) :Tu as besoin d'un compte Apple et d'un iPhone ou iPad pour configurer l'AirTag, donc il y a des chances que derrière, tu arrives à récupérer des IP de connexion et des localisations.
Mais justement : quelles infos ? Il n'y a pas besoin de fournir son identité pour se procurer un AirTag. Et j'imagine que les criminels qui utilisent ce genre de méthodes ne sont pas assez stupides pour associer le tag à leur téléphone/compte personnel...
Zeph (./36320) :Exemple de code vulnérable : log.info("Request User Agent:{}", userAgent);
J'imagine que log4j fonctionne comme toutes les bibliothèques de logging du monde, donc avec des appels qui ressemblent à _logger.LogWarning("Invalid user input: {0}", userInput) dans lesquels le 1er argument est un template qui supporte un certain nombre de syntaxes spéciales pour y insérer du contenu dynamique (dont le fameux lookup JNDI qui pose problème). Mais cette interpolation ne s'active que dans le template (qui est supposé être une chaine fixe définie par le code), pas dans les autres arguments de la fonction. Du coup à moins d'avoir mal utilisé la bibliothèque et passé un input utilisateur comme 1er argument de la méthode, impossible d'exploiter la faille ? Dans le cas contraire et si tous les arguments sont interpolés, log4j serait une passoire qui ouvre grand la porte à toutes les injections de code possibles et imaginables, non ?