Profile picture
, 4 tweets, 3 min read
My Authors
Read all threads
The cat's pretty much out of the bag on how to exploit this. Expect widespread exploitation attempts for CVE-2019-19781 at this point.
Despite being almost a month old, there is NO PATCH from @citrix at this point. Only a (very important) mitigation.
kb.cert.org/vuls/id/619785/ Image
@citrix You don't need to run a working exploit to know if a system is vulnerable or not, though. Simply visit:
CITRIXGATEWAY/vpns/cfg/smb.conf
in your web browser or script or whatever.
If you get a file, the system is vulnerable.
If you get a 403, it has had mitigations applied.
@citrix Also, FreeBSD 8.4 was EOL'd years ago. And even FreeBSD v. current doesn't even have ASLR enabled (not that it'd matter in this particular case).

And this is something you're exposing directly to the Internet?

YOLO!
@citrix Note that Citrix has updated support.citrix.com/article/CTX267… since its initial release. Two notable changes:
1) Citrix SD-WAN WANOP has been added to affected products.
2) Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 have bugs that make the mitigations not work. Whoops!
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Will Dormann

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @wdormann see all

Profile picture
Will Dormann
@wdormann
Now that Twitter has changed how it handles uploaded images, this unexpected behavior is perhaps more important now than before.
Your challenge: Tell me what I've redacted from this image.
(Anybody I've talked to about this so far is ineligible to play)
It can be done w/o tools.
Answer:
Several apps (e.g. @GIMP_Official, @Apple Preview) do not actually delete content from images with an alpha channel. They simply create an alpha-channel tunnel through the content you think that you're removing.
You may think you've removed content, but it's just hidden.
If you remove the alpha channel, you now can see what's behind it. You can do this with ImageMagick, e.g.
convert input.png -alpha off output.png
You now have an image that doesn't have the alpha channel, so therefore is unredacted.
But it's actually even easier than this!
Read 9 tweets
Profile picture
Will Dormann
@wdormann
@johannh Let's be quite clear here:
Zoom intentionally created a vulnerability to work around a security improvement in Safari. This was done to save the user a single click.
@johannh Also note that because Zoom decided that requiring a single click from the user is unacceptable, the vulnerability that they chose to create as a workaround also means that receiving a simple email can result in your camera and microphone being turned on. Neat.
@johannh And on the Windows side of things, both Internet Explorer and Edge also launch Zoom without prompting (albeit not apparently via a process listening on localhost). Chrome and Firefox behave sanely in that the user is prompted before a 3rd-party application is launched.
Read 4 tweets

Related threads

Profile picture
Kate
@KateDAdamo
Good morning! Will be tweeting as long as I can last at the #DecrimDC hearing! It’s gonna be a long day and if you want to join in spirit & watch the livestream, link here! #sexwork #rightsnotrescue #housingnothandcuffs video.oct.dc.gov/412/jw.html
No matter what happens, today is HISTORIC and the work of @DecrimNowDC made this happen. @HIPSDC @NJNP_DC @SafeSpacesDC and many other groups are immeasurable. It’s truly a win. This moment is a win.
@councilofdc opens w @charlesallen setting an ask for respect and the necessity of this debate. @JackEvansWard2 gives some history on the issue in DC & approaches to prostitution - all rely on policing, inc “creative solutions” which were considered unconstitutionally harsh
Read 230 tweets
Profile picture
Iron Gall Design
@IronGallDesign
Russian Blue #Cat #Gifts Collection

zazzle.com/collections/ru…

#giftideas
Russian Blue #Cat Staring Bumper #Stickers

zazzle.com/russian_blue_c…
Russian Blue #Cat Looking Wrapping #Paper

zazzle.com/russian_blue_c…
Read 13 tweets
Profile picture
Chris #OpenSelection #GeneralStrike #JC4PM
@Socialist_Chris
THREAD

So I was going to wait with this one. But events are moving fast. The whole Brexit debacle aside, it is entirely possible a Tory leadership contest is on the way.

And you thought Gove was bad. I mean he is, he's pure evil. But still. Brace yourselves.
I was chatting with a few folks tonight about the possibility of Johnson vs Corbyn. My main concern was, and is, the "lesser Trump" narrative. Ken Clarke pretty much exemplifies it here. If Johnson does fight a GE, expect to see a lot of this.

telegraph.co.uk/news/2016/05/3…
Of course, this plays into Johnson's public perception - the bumbling buffoon. It is widely known that Johnson intentionally plays this up. So far, he's had success with it. But combined with the lesser Trump narrative, it could be extremely dangerous.
Read 63 tweets
Profile picture
tsukinfo post tls!
@ameagarinoUFO
🌙It’s been a year since TSUKIPRO THE ANIMATION aired! To commemorate, here’s a thread of characters that are part of the SQ and ALIVE series in TSUKIPRO!🌙

Feel free to quote/retweet, but please don’t reply!💫
Tsukino Talent Productions:
-Encompasses various music-oriented groups
-The universe exists in real time and characters grow as we do
-Has four units that are featured in TSUKIPRO the Animation: SolidS, SOARA, Growth, and QUELL, split into two “series” that interact: SQ and ALIVE
SQ: SolidS and QUELL
ALIVE: SOARA and Growth

Each unit is connected to an element in nature.

The IRL composer for SolidS, SOARA, and Growth is Takizawa Akira (or John-san) and the composer for QUELL is Hama Takeshi.
SQ artist is Satsuki Yuu, and ALIVE artist is Shijima Tohiro.
Read 50 tweets
Profile picture
🐻 breeze 🐻
@mintsuga_addict
#Yoonmin au || abo

Male omegas are rare. Rare, and highly sought after.

Jimin is a male omega who takes suppressants on the daily and hides his scent with blockers and beta oils.
It wasn’t until he joined Seoul University and met Min Yoongi did those precautions stop working.
Wow, okay, I know what your thinking: isn’t this like you 10000000 au??? Well, yes,,, but I already have a majority of this one written so 🤷‍♀️why not upload it here...
1: DONT REPLY TO THE THREAD (either quote or @ me plz)
2: I hate editing so there is going to be mistakes. everywhere, just fight through 🤧✊
3: idk if it’s gonna be 🔞 we’ll see🤷‍♀️🤷‍♀️🤷‍♀️
4: SCHOOL IS LITERALLY STARTING TOMORROW SO PLZ DONT EXPECT DAILY UPDATES
Read 286 tweets

Trending hashtags

#violence #BlackLivesMatter #calmbeforethestorm #tennis #BurnabyNow #pounce #sexworkers #throwstones #exploitation #CAT #Bag #destroy #VAR #sportsbiz #rightsnotrescue #religion #UraniumOne #opinion #Trudeau #TheDragonsDen #Gifts #rant #BramptonEast #safe #Corporations
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!