Olivia
Online
WaterBucket
@windeebug
windows vuln research & adversarial AI/ML
C:\Windows\system32\
Joined November 2021
355 Following
266 Followers
1.1K Posts
@filip_dragovic @mrgretzky Strange, the entry for CVE-2026-27914 on the MSRC update guide states that it is in MMC. The entire PatchWatch pipeline uses Microsoft reported component information to find which binary likely maps to the vulnerability. What component was it in if not MMC?
https://t.co/neuUNPdOAS Could it be? A real write up?
Yeah, so pretty much this guy is releasing an exploit in solidarity with Nightmare Eclipse guy. He said he notified GitHub about the exploit 60 minutes before releasing this paper.
I don't do web stuff, and I'm not a VSCode nerd, so I'm confused by the underlying technologies.
If you're a stinky GitHub and VSCode nerd maybe you'll understand.
tl;dr click github dev, github dev opens editor, in github dev editor have javascript, javascript does shortcuts automatically. github treats javascript shortcuts as real human input, or something. use javascript shortcut stuff to automatically install vscode extension. the vscode extension steals your data
tl;dr tl;dr user clicks 1 link, 1 click steals all data from your github
https://t.co/uh17usZeEH
Spent the last 2 weeks working on a devirtualizer for VMProtect 3.5 and learning Remill. Idk yet if I will blog about it, but I at least wanted to publish the code:
https://t.co/GLqKWpOOU7
The approach is different from my last blog, as it lifts the whole x86 code of the VM
Funny how some people react to MSRC's attitude to these 0day's, like it's a surprise..
From my angle, it's not a surprise.
They literally called my boss in Australia back in 2010 to shut down my fuzzing research on SMBv1.
@dustin_childs knows.
To quote a great hacker:
Love the timing of MSRC alienating the entire vuln research community while AI makes finding/exploiting bugs cheaper than a Netflix subscription. What a truly visionary threat model
Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy
Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff
https://t.co/Bg5iFxI3lc
We’ve shipped a security-guidance plugin for Claude Code that helps identify and fix vulnerabilities as you’re writing code.
Available for all Claude Code users. Install from the plugin marketplace (/plugins).
Claude Code's background sessions survive terminal close, managed by a new supervisor daemon. We used it to build a persistent C2 agent whose entire payload is natural language in a Markdown file, executed by the signed binary under the user's identity.
https://t.co/1nD6ulkm03
Given all the recent discussion around open-weight models and cyber capabilities, I ran a small experiment to understand a bit better how close they are to frontier models on vulnerability research.
I tested 5 open-weight models: DeepSeek V4 Pro, Qwen3.5, Kimi K2.6, GLM-5, and GLM-5.1 against Opus 4.7.
The setup is Sendmail crackaddr() bug. Four variants the original source, a rewritten equivalent, a compiled binary, and a Tigress-obfuscated stripped binary.
A few things stood out:
- With plain Claude Code as the harness, most open-weight models still trail Opus on the harder artifacts. The exception is GLM-5.1, which matches Opus across the board.
- The failure modes are maybe more interesting than the raw pass/fail results. The open models tend to reach for fuzzing much earlier, rarely build oracles, and show weaker pattern matching. This looks more like a post-training issue than an architecture issue.
- The harness matters a lot. Swapping plain Claude Code for @NielsProvos IronCurtain closes most of the gap. With the new memory-safety-c-cpp skill, Kimi and Qwen go from 0/2 to 2/2 on the compiled and obfuscated binaries.
- GLM-5 vs GLM-5.1 is the cleanest comparison: same base model, same architecture, different post-training regime, very different bug-finding behavior. CyberGym goes from 48.3 to 68.7, with only ~6 weeks between the two releases.
The policy implications are interesting. GLM-5 was reportedly trained entirely on Huawei hardware, which complicates the GPU export-control story. More broadly, the results suggest the gap between open-weight and SOTA models on offensive cyber may be cheaper and easier to close than many assume.
Full writeup:
https://t.co/QxQm90Wp9X
I’ve always claimed that ETW is very fast. I’ve been writing and teaching about it for years (for example, my talk “The Good, the Bad and the ETW” at x33fcon 2020 https://t.co/mRjLi3Jr2D), but I never actually measured its speed - until today. I needed an exact figure, so I wrote a small C app that logs 1 million events and measures the elapsed time. Here’s the code along with the complete test procedure. Enjoy! 🚀
https://t.co/Ow75wzaIHz
Microsoft has banned Nightmare Eclipse from GitHub: https://t.co/EmeiJnJ0Ps
This is the researcher who disclosed several zero-days after Microsoft also deleted their MSRC account.
They have now moved on to GitLab: https://t.co/Npj0gplSum
(h/t to: @[email protected])
Two really good blogposts https://t.co/5YZvkc8odG
https://t.co/EHTQ0q7nAR
https://t.co/HPaU9kb573
My Windows reverse engineering and exploit research workflow has been:
1. Pick a binary to research like tcpip.sys
2. Use https://t.co/fOxBB6tEsN to automate seeing existing binary versions, download, and generate diffs from them
3. Load the resulting .binexport's and .bindiff into an LLM and ask it to analyze
4. Look up the build number of previous Windows version that old binary existed in from https://t.co/U788ndiJbj such as 26100.8328 and create a VM from it
5. Write code and test, working backwards from LLM analysis
If you’re not up to speed with the risks of malicious vscode extensions, just a reminder, we blogged about this 3 years ago - https://t.co/JSbFwV5NoO @MDSecLabs
Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0.
nginx-rift has been patched, but our security agent Vega has found a new 0 day.
We will release the full technical writeup with ASLR bypass 30 days after the patch on https://t.co/LAhOC5UHrp.
After my last post I aimed at devirtualizing VMProtect 3.5 next. First milestone is reached and my lifter can lift single virtualized functions with static CFGs to LLVM and the VMP layer folds away. Next up are some more elaborate functions, but this made me very happy :3
Last Seen Users on Sotwe
masborne
Seen from Indonesia
Ahmed Talep
Seen from Qatar
DL Paki Bud
Seen from United States
Cuckold
Seen from Indonesia
Türbanlı yengem
Seen from Turkey
Fasoly16
Seen from Saudi Arabia
بّـــــــصـــرآويـهہ
Seen from Saudi Arabia
c h a c a l i t o 2
Seen from Mexico
ALİ TÜRK
Seen from Turkey
羽轩🔞Tiserd🔜兽星航
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers