LibTracker Updates 11/25/24: Simplify Dependency Management with this simple SBOM Tool

We are excited to announce the latest updates to *LibTracker*, our VSCode extension designed for professionals to simplify software bill of materials (SBOM) management. With LibTracker, you can effortlessly analyze and manage your apps, ensuring up-to-date versions, addressing security vulnerabilities, and resolving licensing issues—all at a glance.

Access it here: [LibTracker on VSCode Marketplace](https://marketplace.visualstudio.com/items?itemName=windmillcode-publisher-0.lib-tracker)

### New Features in the Latest Release:

- **Grouped Paths**: Added the ability to associate multiple apps with a root folder, easing project transfers between computers.

- **App Detail Page**:

  - **Subdependency Information**: View detailed info and license info for subdependencies.

  - Toggle between root and subdependency data to explore license and CVE details.

- **Bulk Group Path Update**:

  - Recursively searches for app basenames within directories. or the exact subPath. Can specify a recusion level

### Upcoming Features:

- **App Detail Page Enhancements**:

  - Integration of CVE details for all subdependencies.

  - Search functionality extended to include nested child rows.

  - Expand and collapse all subtables within rows for streamlined navigation.

  - Responsive design updates to allow a card-based layout for improved usability.

- **Toggle Select All Apps**: Introducing a select-all option on the project detail page.

- **Workspace Folder Management**: Development depends on VSCode API’s ability to support VSCode profiles.

- **SBOM Generation**: Investigating whether to retrieve license and CVE details for every version of each package used in the app.

### Future Milestones (Exploring Feasibility):

- **Git Backup Changes**: Enhancements to streamline version control and backup capabilities.

- **AI-Powered Summaries**: Considering automated generation of license and CVE category summaries.

- **Subdependency Navigation**: Exploring the possibility of linking subdependencies in the license pane to their locations in the dependency table

- **Advanced Table Features** - the current package does not support

  - child row search

  - expand and collapse all subtables in a given row

  - responsiveness (remove columns or using cards at a certain viewport)

Random Doctor Who Facts You Might Not Know, Part 63

Adric had programmed the route back to E-Space into the TARDIS before he died. When the TARDIS came close into a CVE, Adric set the program to automatically travel into E-Space, specifically to Alzarius. This is how the Fifth Doctor, Tegan, Nyssa, and Turlough ended up in E-Space. (Audio: Mistfall)

The Eighth Doctor once took a ton of a drug called Om-Tsor in order to psychically stop a lot of missiles. (Novel: Revolution Man)

Meglos considers himself to be the Doctor's greatest enemy because the Doctor only defeated him once (while they have defeated Daleks, etc many times). (Short story: Meglos)

The Seventh Doctor hates swimming. (Novel: The Also People)

After Sabbath removed the Eighth Doctor's heart and implanted it into his own chest, the Doctor could not die. Even when he was absolutely crushed by sandbags, one of his hearts was still beating in Sabbath's chest, so he would survive. (Novel: Camera Obscura)

The Brigadier liked Persephone a lot. As in he fell in love with her. As in fighting Hades for her. As in kissing her. As in thinking that she had a perfect bum and that she was both delicious and delectable. Yeah. (Novel: Deadly Reunion)

One time, Ace mentioned that it was a bit of a coincidence that both Gallifrey and America had a "CIA." Narvin said she could think it was a coincidence if she wanted and that his people "get around," thus implying that there are ties between the two. (Audio: The Quantum Possibility Engine)

The Mara once possessed Kamelion through Tegan's subconscious. Kamelion assumed the form of a Gorgon and used his abilities to turn people into stone. (Short story: Mark of the Medusa)

One time, the Eighth Doctor tried to get his companion Izzy to go exploring in a new city with him, but she was too busy reading a history book on it. Annoyed after arguing with her, the Doctor explored by himself, going into a jam shop only to find that the merchant had been murdered by a guy with a hook for a hand. While trying to remove the hook, the Doctor was knocked unconscious, so when the police came, he was found with the dead body and the murder weapon. He was charged with several murders and sentenced to die, but Izzy was able to phone in a tip using information she knew from the history book to vindicate him just before he was executed. (Comic: By Hook or By Crook)

If the Valeyard had beaten the Sixth Doctor during their battle in the Matrix, he would have messed with time so dramatically that it would become catastrophically damaged. Eventually, he would have left hiding away in his TARDIS, afraid that any action he took would make things worse. The TARDIS would have confined him inside, immobilized with force fields. The TARDIS would only still be alive due to the symbiotic nuclei connecting her to her pilot, and the Valeyard would only be alive because of his connection to his TARDIS. Unable to do anything, they (including Mel) would be trapped there seemingly forever. (Audio: He Jests At Scars...)

Fitz Kreiner had a dream where he and the Eighth Doctor were both naked in the TARDIS console room, their bottoms touching each other's. The Dream Doctor made sure to tell him that he didn't think this was his subconscious telling him anything about his sexuality. He panicked when he realized he couldn't feel the Doctor's bottom anymore - which was because they were merging into one. (Novel: Halflife)

The Mara eventually entered the Fifth Doctor's mind, using him as a primary host to try to subjugate Manussa in an earlier time period. He was freed when Tegan and Turlough used a circle of cameras and screens (similar to the mirrors). (Audio: The Cradle of the Snake)

The Eighth Doctor, Anji, and Fitz were once made to wear collars and leashes while walking around on all fours naked. They had been provided with plastic chew toys. The Doctor and Fitz didn't appear to be bothered by this. (Novel: Mad Dogs and Englishmen)

The Eighth Doctor once commented that he could potentially have a bunny slipper fetish. (Novel: Grimm Reality)

While on Trenzalore, the Eleventh Doctor lost a leg while fighting a tsunami snake. (Short story: The Dreaming)

First 1 Prev 62 Next 64

Stay safe! Make sure to use Discord on safe browsers like Chrome or any Chromium-based browser until Discord sends out a patch!

You don't want Ford to send you a .webp file on the Discord app and, just by viewing it, be infected with whatever malware he hid inside that funny picture! As cute as that face is, you can't trust them!

In all seriousness though, do stay safe. Considering it's a zero day exploit, Discord is going to roll out a patch asap. But until then, we will have to stick with browser Discord.

Here are some helpful articles, so you can stay informed!

CVE-2023-5129 is currently still a very real threat for apps such as Slack, Discord, Skype, Visual Studio Code, Twitch, Microsoft Teams, and the Github app.

Many browsers, such as Google Chrome, Firefox, Brave, and Opera have rolled out patches so as long as you update your browser you'll be all good!

Are we admitting things tonight?

I got my start in pentesting from multiplayer flash exploits. I hyperfocused on packet opcodes and VBS because I liked old '98 VBS worms, but other people were speccing into flash RCE CVEs back then.

It wasn't about malicious or malformed packets. It was about doing cool things with the packets - cool, observable phenomena, the equivalent of string lights around yourself to draw attention. I used to prepare chat packets of glittering rainbow ASCII one by one and test them meticulously - nothing rude or mean, things like unicorns and spongebob.

It was a different time. None of us even knew the magnitude of what we were doing to eachother's computers.

These days, I remain shocked at the level of respect people had for one another's privacy when we did these things. Nobody ever got their personal information posted, or their pictures/cards/accounts stolen. I doubt that's even possible today.

A bad day on the USS Altamaha (CVE-18)...

This Grumman F4F Wildcat had an issue landing aboard USS Altamaha. It struck something with the right wingtip and ended up in the water. I've no more information on the incident... I hope the pilot got out.

USS Altamaha...

... was part of the class of "escort carriers", often referred to as "jeep carriers". Constructed using commercial hulls like transports with a flight deck built on top, they were much smaller, slower, lightly armed and carried fewer planes than the fleet carriers. Escort carriers mostly served as transports and support vessels since they couldn't keep up with the fleet in major actions and were very vulnerable to attack. In the Atlantic ocean, several served with distinction in anti-submarine task groups, protecting convoys from German U-boats.

if you use linux, UPDATE YOU SYSTEM NOW

XZ got backdoored, specifically the release tarballs of version 5.6.0-1 and 5.6.1-1.

for more information on the status in your specific distro go to their website.

for more information on the backdoor itself its CVE-2024-3094

Impact of successful SQLi, examples

Three common ways SQL injection attacks can impact web apps: - unauthorized access to sensitive data (user lists, personally identifiable information (PII), credit card numbers) - data modification/deletion - administrative access to the system (-> unauthorized access to specific areas of the system or malicious actions performance) examples as always speak louder than explanations! there are going to be two of them 1. Equifax data breach (2017) - 1st way Hackers exploited a SQL injection flaw in the company’s system, breaching the personal records of 143 million users, making it one of the largest cybercrimes related to identity theft. Damages: The total cost of the settlement included $300 million to a fund for victim compensation, $175 million to the states and territories in the agreement, and $100 million to the CFPB in fines. 2. Play Station Network Outage or PSN Hack (2011) - 2nd way Tthe result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. Damages: Sony stated that the outage costs were $171 million. more recent CVEs: CVE-2023-32530. SQL injection in security product dashboard using crafted certificate fields CVE-2020-12271. SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV. ! this vulnerability has critical severity with a score 10. Description: A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords) CVE-2019-3792. An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data. ! this vulnerability has medium severity with a score 6.8.

Zero-Day CVE-2024-24919 Discovered in Check Point's VPN Software

Cybersecurity software vendor Check Point has issued a critical warning to customers, urging them to update their software immediately due to a zero-day vulnerability in their Virtual Private Network (VPN) products that is actively being exploited by attackers. The vulnerability, assigned CVE-2024-24919 and a CVSS score of 8.6 (high severity), affects Check Point's CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.

VPN Exploit Targets Older Local Accounts

According to Check Point's advisory, the vulnerability involves attackers "using old VPN local accounts relying on unrecommended password-only authentication method." The company strongly recommends against relying solely on password authentication for logging into network infrastructure, emphasizing that it is an unfavorable method for ensuring the highest levels of cybersecurity.

Potential Impact and Lateral Movement

If successfully exploited, the vulnerability could grant an attacker access to sensitive information on a security gateway, as well as enable lateral movement within the network with domain administrator privileges. Threat intelligence firm Mnemonic, which was contacted by Check Point regarding the vulnerability, has confirmed that the exploit allows threat actors to retrieve all files on the local filesystem, including password hashes for local accounts, SSH keys, certificates, and other critical files.

Patches Available and Recommended Mitigations

Check Point has released patches for all affected systems, and customers are strongly advised to apply the updates as soon as possible. In addition to installing the patches, Check Point recommends hardening VPN posture by implementing multi-factor authentication (MFA) and reviewing and removing unnecessary local VPN accounts. For any necessary local accounts, additional authentication measures should be added to mitigate the risk of exploitation. The actively exploited zero-day vulnerability in Check Point's VPN products underscores the importance of promptly applying security updates and following best practices. While implementing MFA can be a hassle, the consequences of a data breach or network compromise can be far more severe. Organizations using affected Check Point products are urged to take immediate action to secure their systems and protect their valuable data and infrastructure. Read the full article

Skip to content

Simplified Privacy

Menu



Google’s Surveillance: The Shocking Truth

Google is the opposite of privacy.  They maliciously collect data from you in the following ways:

The Sources for this article can be found here.

1) Saving all your Google searches, tied to your identity across devices [1] [2] [30]

2) Reading all your emails.  Even if you don’t use Gmail directly, but you’re sending email to someone who does.  [5] [6]



3) Saving all your web traffic if the website uses Google Ads, Captchas, or Analytics (and over 85% of all websites use some of their services).  Even if you aren’t signed in to a Google account, and you’re using a VPN, they can still use past cookies and browser fingerprinting to identify you.  [35] [1] [25] [26]

Google’s reCaptcha fingerprinting includes mouse movements, response time, timezone, screen dimensions, IP address, and any cookies.  ReCAPTCHA uses the google.com domain instead of one specific to ReCAPTCHA, which allows Google to receive any cookies you have directly, instead of the website you’re visiting. [35] This concentrates the vast majority of all traffic data in the hands of a single company, which can then be used to de-anonymize users.

4)  Everything you do in Google’s Chrome Browser is recorded, including even how long you are idle on a page.  [7] [8]



5) Tracking and Saving your physical location, via Android’s GPS and Wifi triangulation. [12] [13]

Even if you turn location features off or set the phone to airplane mode, it still saves your location via Wifi triangulation, which is the process of pinging nearby Wifi hotspots to identify where you are.  [9] [10] [11] Wifi triangulation can figure out your real location, even if you have a fake IP address from a VPN. [14]



As intelligence expert and ex-law enforcement Michael Bazzell says, Google is one of the first places law enforcement goes to for information because Androids track everyone’s location so accurately. Bazzell points out that even if you’re not directly involved in something, just owning an Android that was near it, can get you involved in answering police questions.  Bazzell’s experience serving in law enforcement and intelligence motivated him to completely cut Google out of his life even though he’s doing “nothing wrong”.  [11]

6) Keeping track of who you know to identify new phones or email accounts as you.

Rob Braxman

Privacy expert and phone operating system designer Rob Braxman points out that, by synching everyone’s phones’ contact lists and who they are physically standing near, Google (and therefore governments) can identify unknown devices or email accounts as you.  [30] [31] [32a]  Braxman further points to publicly available websites made by Google’s Jigsaw division and their partner Moonshot CVE, which openly sells services to governments to track and manipulate search results for targeted users.  These users targeted by Jigsaw & Moonshot CVE’s government clients have their search history, location, and identifying fingerprint stored in a database. [32b]

7) Recording and saving audio of your private conversations [16] [17] [18]



Google’s Android has the microphone constantly recording and saving your intimate personal conversations against your wishes for their profit and power.  As an extensive academic study of tech patents by Consumer Watch Dog points out, Google will claim this is only to find out if you said the words “Google Assistant,” but yet they have publicly filed patents to scan audio conversations and any available visuals on a variety of home smart devices to identify who is speaking, what you’re interested in, and what you’re doing for the purpose of targeted advertising.  [15]



Tracking what you say, what you like, when you sleep, and even when you go the bathroom, goes well beyond Google Assistant helping you do a quick search and would instead be considered an all-inclusive surveillance. [15]

In addition, they’ll allow 3rd party apps to record you without your knowledge because of poor permissions control. As University of California Santa Barbara cybersecurity researchers presented at a BlackHat European conference, 3rd party apps like Silverpush can play high frequency audio, which is invisible to the human ear, on another device like a television ad or mall kiosk.  Then your phone’s mic picks up the frequency, to rat out your real identity or location. [34]



Silverpush’s advertising system is embedded into many “free” apps on the Google Play Store.  These doctoral researchers warned of the dangers this presents by being connected to wide-spread platforms like Google Ads.  To demonstrate this, they played video of their lab experiment, which de-anonymatized a laptop through Tor Browser, because of an Android’s mic next to the laptop’s speakers, which was signed in to a Google account. [34]

Is the Data Sold?



Google has marketing propaganda which claims that they are merely selling advertising space on your devices and not selling the data itself.  However, this claim is misleading in a number of ways. 

First, not only is advertising sold by demographics or interests, but in addition, Google also allows its advertising customers to target users by name, email, or device ID and reach them almost anywhere. [1] So advertisers can target you specifically and then serve you anything on your specific device by name.



Second, while it’s true that Google technically doesn’t  sell your actual name to the advertiser, when your device interacts with an ad, the third party advertiser can easily use your IP address, cross-site cookies, and/or browser fingerprinting to identify you.   For example, suppose an advertiser runs an ad for an ebook on how to get out of debt.  The advertiser could collect the IP addresses of anyone who clicks it, and so they’d know whose indebted.



“I think the big problem is that we give much more data to Google than it needs,” said Guillaume Chaslot, former Google engineer who worked on YouTube’s recommendations algorithm. [4a] Chaslot’s first-hand experience with Google’s spyware and manipulation inspired him to create the non-group AlgoTransparency.org, which openly says in it’s manifesto, “algorithms don’t have your best interests at mind”. [4b]

Play Store and Chrome Extensions Leak Data



Third, the Google Play Store and their Chrome Browser Extension Store leak application and user data directly to the app’s developers.  This is sensitive private information, and these third party app developers are NOT carefully vetted, as almost anyone can put an app in the Google Play or Chrome Extension Store with minimal screening.  Examples: [21] [23] [24]

Mental Outlaw

“Mental Outlaw” is a cybersecurity Youtube video influencer who is constantly having his videos about torrents flagged by Google as “dangerous content”.  He points out how ridiculous this is because Google does so little to stop real dangerous content.  One of the numerous examples he’s given is the Chrome webstore featuring extensions that are malicious hacking malware, which does URL injections to force online shoppers, without their knowledge, to use the malware creator’s affiliate links when they shop online. [22b] These 5 popular extensions got over 1.3 million downloads, which got the attention of McAfee Labs, the research department of the respected anti-virus company.



From McAfee Labs’ articulate research, this is huge security risk because not only is your personal data, like name and location, sent to malicious actors, but the attacker can forward the URL to any site they want.  So you might think you’re going BestBuy.com, but it’s really the attacker’s bullshit site to get your credit card info.  [22b]



Youtuber Mental Outlaw points out how ludicrous it is that not only did Google allow 1.3 million people to download these extensions, but they have featured status on the Google Chrome store. [22a] And not only does Mental Outlaw find similar malware in the Android Play Store, but Google has changed how apps disclose permissions to remove themselves of liability.  Starting in mid-2022, Google has the app developers themselves disclose what permissions the app uses, so Google does not have to do any research.  This is a conflict of interest, since app developers are self-reporting what information they get access to, and the end user may not properly be able to evaluate it. [19] [20a]

Sell it via Cookies



Google’s defense to these types of criticisms has always been that they don’t “sell your data” directly.  But as laid out in research from the tech-savvy lawyers at the Electronic Frontier Foundation, Google allows advertisers to connect their cookies with Google’s in order to process data on the customer.  This process is called “cookie matching” and essentially allows Google to sell the advertiser your information through a cookie. [1] 

In the European Union, if Google were caught selling this data directly, it would be illegal.  [27] [28] [29] So instead Google finds sneaky work-arounds such as the cookie matching, which allows them to appease the regulators and make statements like “we don’t sell data, we just use the data.” [1]



Conclusion



The more influence that Google has in our society, the more difficult it becomes to avoid their fingerprinting.  If every website has a Google Captcha and everyone you talk to demands you talk to them on Gmail, then Google has become the gatekeeper for overseeing all human behavior.  They can use this power to influence who sees your messages and what information you are able to find.



By using Gmail or Google Docs, you’re forcing and enabling Google to fingerprint your loved ones or friends.  Even if you think you’re doing nothing illegal, you assume that Google will give you and those you care about an equal opportunity for your business to thrive.  They can reduce Google’s search traffic to your website, or bounce your emails to potential employers or customers.  They can buckle your business at the knees if they think it fits its agenda and by giving them so much information you’ve completely surrendered your freedom.

Well what is their agenda?

In our next article, we’ll discuss Google’s censorship ability to shape society and how affects you.

The Sources for this article can be found here.

Related Articles

Big Tech Abuses Medical Privacy

February 25, 2023  No Comments

In the US, your medical records are protected by HIPAA but your internet medical browsing history on websites like WebMD is NOT.  That is the

Read More »

Browser Fingerprints Lead to Price Discrimination

February 25, 2023  No Comments

Some people mistakenly believe they do not need to worry about online privacy because they have “nothing to hide.”  In reality, your digital identity expressed

Read More »

Avoid this Monero Vulnerability

February 25, 2023  No Comments

We love Monero.  It’s our favorite and number one recommended cryptocurrency.  However, it does not offer completely perfect anonymity under all circumstances because there are

Read More »

How to Reduce Google’s Control Over You

February 25, 2023  No Comments

There’s a huge number of steps you can take to reduce Google’s power and influence over your business and personal life.  You would get a

Read More »

Google Censors Freedom

February 25, 2023  No Comments

This article presents evidence that Google promotes an agenda of centralized control through systematic censorship on its search, email, video, app store, and ad platforms

Read More »

Session username: Simple / Signal #: +855 68 504 905

Web 3 on IPFS: SimplifiedPrivacy.x

Tor Onion: privacypkybrxebcjicfhgwsb3coatqechwnc5xow4udxwa6jemylmyd.onion

Nostr Public Key: npub14slk4lshtylkrqg9z0dvng09gn58h88frvnax7uga3v0h25szj4qzjt5d6

[email protected] / @Matrix:SimplifiedPrivacy.is

got pinged by @siderods for an ask game, thanks for the tag!

gonna keep it short for yall tonight

nine things / nine people (nine doors?)

Last Song: I Am A Man Of Constant Sorrow. DJ and I were going to watch O Brother, Where Art Thou? but she keeps blowing me off so i have to listen to the soundtrack at work by myself. sad!

Favorite Color: to wear? black. in general? green.

Last Movie/TV Show: last thing I watched was VH1's 2008 documentary series on the sexual revolution. It was pretty interesting as a cultural artifact, a great snapshot in time and pretty informative too! it's called Sex: The Revolution, check it out if you can find it!

Sweet/Savory/Spicy: Savory most of the time, but I am a slut for all three.

Last Thing I Googled: "changes on tumblr" needed to see if the activity feed eating reblog notifs was on their to-fix list. it was not!

Current Obsession: ugh. The USS Guadalcanal CVE-60. don't look at me, i like boats now.

Last Book: Illinois Railway Museum In Color by Aaron Isaacs, a photohistory of my local railway museum.

Last Fic: A Patient's Guide To Living With ICS (House MD fic). I'm gonna be honest I only clicked on this one because it's set in Chicago. The dialogue was really good though, and the smut wasn't bad either!

Looking Forward To: getting my fuuuuucking car fixed tomorrow. oh and my friend @calliclassic is working on a commission for me that's almost done!

i tag: @the-commonplace-book @galushanationalrailways @stukagoggles @theskoomacat aaaand anyone else who wants to do this i feel shy about tagging anyone else lol

#CERT/CC Reports R Programming Language Vulnerability

CERT/CC Reports R Programming Language Vulnerability 05/01/2024 08:00 AM EDT CERT Coordination Center (CERT/CC) has released information on a vulnerability in R programming language implementations (CVE-2024-27322). A cyber threat actor could exploit this vulnerability to take control of an affected system. Users and administrators are encouraged to review the following advisories and apply the…

View On WordPress

WordPress users, beware! A new phishing scam targeting the popular content management system was discovered on January 5th, 2024. This scam involves a fake 'CVE-2024-46188' patch that claims to fix a security vulnerability in WordPress. However, this is actually a cleverly crafted phishing attempt to steal sensitive information from unsuspecting website owners. 

Remember, as per the WordPress team, "Official communications from WordPress will always come from a wordpress.org or wordpress.com email address." To know more about Read our full blog on Fake CVE Phishing Scam Tricks.

Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms

The Hacker News : Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions - NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before http://dlvr.it/SxcVKs Posted by : Mohit Kumar ( Hacker )

WIZARD PSA: This is not sufficient! A skilled analyst can divine your personal information from the shards and residue, per CVE-2019-8575. Until the vulnerability is patched, we recommend remote souping as best practice.

In a fantasy setting, my job would be exactly the same

Microsoft addressed 121 vulnerabilities April 2025 Patch Tuesday Update

Microsoft released the April 2025 Patch Tuesday update, including fixes for a significant 121 vulnerabilities across various Microsoft products. This includes one actively exploited zero-day vulnerability, CVE-2025–29824, and 11 critical remote code execution (RCE) vulnerabilities. The patch addresses vulnerabilities in key components such as Windows Hyper-V, Remote Desktop Services, Azure, LDAP, .NET Framework, and Microsoft Office, making it an important update for users and organizations.

The 121 vulnerabilities patched in April 2025 span multiple severity levels and types, with Microsoft classifying them as follows:

11 Critical: These are primarily RCE vulnerabilities that could allow attackers to execute malicious code remotely, often without user interaction or authentication.

109 Important: These include elevation of privilege (EoP), denial-of-service (DoS), and information disclosure bugs, which, while less severe, could still amplify attacks when combined with critical flaws.

1 Low: A less impactful issue, though still addressed for completeness.

The vulnerabilities affect a wide range of Microsoft products, including operating systems (Windows 10, 11, and Server editions), virtualization platforms (Hyper-V), remote access tools (Remote Desktop Services), cloud services (Azure), directory services (LDAP), development frameworks (.NET), and productivity software (Office).

CVE-2025–29824: Actively Exploited Zero-Day Vulnerability

Discovered by the Microsoft Threat Intelligence Center, CVE-2025–29824 is a use-after-free vulnerability in the CLFS Driver, a core Windows component used for system logging. This zero-day flaw has been actively exploited by the ransomware gang Storm-2460, linked to the RansomEXX group, using the PipeMagic malware. The exploitation process begins with initial access via PipeMagic, followed by leveraging CVE-2025–29824 to escalate privileges to SYSTEM level — the highest privilege tier on a Windows system.

Affected Systems: All supported Windows versions (e.g., Windows 10, 11, and Server editions) running the CLFS Driver, though the exploit does not function on Windows 11 version 24H2.

Real-World Impact: Victims have been identified across the US (IT and real estate), Spain (software firms), Venezuela (finance), and Saudi Arabia (retail). Once SYSTEM access is gained, attackers can deploy ransomware, steal data, or disrupt operations.

Urgency: The active exploitation by a known threat actor, combined with its inclusion in the CISA Known Exploited Vulnerabilities Catalog (with a patching deadline of April 29, 2025), emphasizes the critical need to apply this update immediately.

The April 2025 update patches 11 critical RCE vulnerabilities:

CVE-2025–26686 — Windows TCP/IP RCE: This critical flaw in the Windows TCP/IP Stack, caused by a race condition with unlocked memory, lets remote attackers execute code over a network. It requires precise timing but no authentication, risking compromise of network-facing systems without user interaction.

CVE-2025–27752 & CVE-2025–29791 — Microsoft Excel RCE: These critical Excel vulnerabilities — a heap-based buffer overflow and a type confusion bug — allow unauthenticated attackers to execute code via malicious files. Exploitable through phishing, they grant system control without needing elevated privileges, threatening Excel users.

CVE-2025–27491 — Windows Hyper-V RCE: A critical use-after-free flaw with a race condition in Windows Hyper-V lets an authenticated guest VM attacker run code on the host. It breaches VM isolation, endangering virtualization setups and potentially escalating privileges.

CVE-2025–27745 — Microsoft Office RCE: This critical use-after-free issue in Microsoft Office enables unauthenticated attackers to trigger RCE via malicious documents. Requiring no special access, it risks system takeovers across Office’s vast user base.

CVE-2025–27748 — Microsoft Office RCE: Another critical use-after-free flaw in Office, this vulnerability allows unauthenticated RCE through crafted documents. Easily exploitable via user action, it amplifies threats to Office environments.

CVE-2025–27749 — Microsoft Office RCE: A third critical use-after-free in Office, this flaw permits unauthenticated attackers to execute code via malicious files. Its simplicity heightens risks for Office users, enabling potential system compromise.

CVE-2025–27480 — Remote Desktop Services RCE: This critical RD Gateway flaw, involving a race condition and use-after-free, lets unauthenticated attackers execute code over the network. Targeting exposed systems, it threatens remote access infrastructures.

CVE-2025–27482 — Remote Desktop Services RCE: A critical RD Gateway vulnerability from insecure memory storage allows unauthenticated network-based RCE. It endangers remote setups, potentially enabling attackers to disrupt or control systems.

CVE-2025–26663 & CVE-2025–26670 — Windows LDAP Client RCE: These critical use-after-free bugs in the Windows LDAP Client, triggered by crafted server responses, enable unauthenticated remote code execution. With wormable potential, they threaten domain environments, risking widespread network compromise.

In addition to security patches, the April 2025 update introduces enhancements and fixes for Windows 11 and Windows 10, improve user experience and system stability.

Windows 11 KB5055523 (Build 26100.3775 for 24H2)

New Features:

AI-Powered Windows Search: For Copilot+ PCs, search now supports natural language queries (e.g., “summer picnics”) and integrates OneDrive cloud photos into File Explorer results.

Taskbar Enhancements: Adds an emoji icon in the system tray for quick access.

Settings Upgrade: Displays key PC specs in “Top Cards” for easier system monitoring.

Gamepad-Friendly Keyboard: A new touch keyboard layout optimized for Xbox controller users.

Fixes:

Resolves a File Explorer bug where the three-dot menu opened in the wrong direction or off-screen.

Fixes a Blue Screen of Death (BSOD) issue tied to Intel sensor compatibility when waking from sleep.

Windows 10 KB5055518

New Features: Limited new functionality due to the impending end of support on October 14, 2025, but it includes minor stability improvements.

Eliminates random text appearing during printing, a long-standing issue for users.

Addresses general performance hiccups to ensure smoother operation in its final months.

Source: https://windows101tricks.com/microsoft-patch-tuesday-review/

The Curious Case of CVE-2015-2551 & CVE-2019-9081 - Doom and Gloom! Or not.

What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: CVE Rejected by MITRE 5/11/2017 10:21:04 AM CVE Source Update by Microsoft Corporation 11/06/2023 9:25:22 PM They updated it to reflect they were the source, or assigning CNA. CVE Modified by…