Will Dormann

@[email protected]
4K Followers
567 Following
2.6K Posts
I play with vulnerabilities and exploits.
I used to be https://twitter.com/wdormann but Twitter has become unbearable, so here I am.
Will Dormann2h ago
TIL that medical and religious ski masks are a thing?
Will Dormann20h ago
evacide1d ago
Your push notifications can betray your privacy. Here are the settings you can enable to do something about that: https://www.eff.org/deeplinks/2026/04/how-push-notifications-can-betray-your-privacy-and-what-do-about-it
How Push Notifications Can Betray Your Privacy (and What to Do About It)

A phone’s push notifications can contain a significant amount of information about you, your communications, and what you do throughout the day. And there are myriad ways that law enforcement can access the content or metadata of push notifications. Let’s fix that.

Electronic Frontier Foundation
Will Dormann1d ago
I thought that ClickFix was silly, but we've clearly entered the "please fire this footgun" stage of infosec.
https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/
Will Dormann1d ago
crimsonfall1d ago

so now there’s a proposed federal U.S. bill that mandates EVERY OS to verify your age on setup, regardless if you’re an adult or not or if you even want this feature…
and they call it the Parents Decide Act.

excellent  

https://itsfoss.com/news/os-level-age-verification-across-us/

#ageverification #bigtech #Linux

Oh No! Now A Federal Bill Wants OS-Level Age Verification for Everyone in the USA

If passed, the bill would apply across the U.S., unlike the state-level laws already around.

It's FOSS
Show threadWill Dormann1d ago

Interestingly, a good chunk of the [(12/73) AV detections on VT](https://www.virustotal.com/gui/file/d84250e2ad053ab4097d0591933935573e4cab3e975360004a126abc102dc6f6 for this RedSun.exe exploit are due to the EICAR part being detected, as opposed to what the exploit does, despite the string being reversed in the code. (note: this reversal apparently does nothing to prevent EICAR detection in the AV engines on VT)

If we make the EICAR string less obvious (encrypted), the detections drop to 5.

Defender currently doesn't detect the exploit in either case.

Will Dormann1d ago
Ars Technica2d ago

FCC exempts Netgear from ban on foreign routers, doesn't explain why
https://arstechnica.com/tech-policy/2026/04/fcc-exempts-netgear-from-ban-on-foreign-routers-doesnt-explain-why/?utm_source=flipboard&utm_medium=activitypub

Posted into Ars Technica @ars-technica-ArsTechnica

FCC exempts Netgear from ban on foreign routers, doesn't explain why

Trump FCC starts handing out exemptions to its ban on foreign-made routers.

Ars Technica
Show threadWill Dormann1d ago
OpenAI is getting on board too.
To "protect against identity fraud." 😂
Show threadWill Dormann1d ago

From the GitHub repo:

When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location.

This Exploit uses the "Cloud Files API", writes EICAR to a file using it, uses an oplock to win a volume shadow copy race, and uses a directory junction/reparse point to redirect the file rewrite (with new contents) to C:\Windows\system32\TieringEngineService.exe. At this point, the Cloud Files Infrastructure runs the attacker-planted TieringEngineService.exe (which is the RedSun.exe exploit itself) as SYSTEM. Game over.

Will Dormann1d ago

From the same author as BlueHammer we now have RedSun.

This works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled. Any system that has cldapi.dll should be affected.

Will Dormann2d ago
I guess we've entered the phase where doing anything is going to require you uploading your ID and more.