In the days of 8-bit home computing, the more fancy machines had sound chips containing complete synthesizers, while budget machines made do with simple output ports connected to a speaker — if they had anything at all. [Normal User] appears to be chasing the later route, making PCM sound by abusing the serial port on a 6522 VIA chip.

A serial port is when you think about it, a special case of a one-bit output port. It’s designed for byte data communication but it can also carry a PCM data stream. We’ve seen this used with microcontrollers and peripherals such as the I2S port plenty of times here at Hackaday, to produce such things as NTSC video. The 1970s-spec equivalent might not be as fast as its modern equivalent, but it’s capable of delivering audio at some level. The machine in question is a Ben Eater breadboard 6502 with a World’s Worst Video Card, and as you can hear in the video below the break, it’s not doing a bad job for the era,

If you think this hack sounds a little familiar then in a sense you’re right, because Ben Eater himself made noises with a 6522. However it differs from that in that he used the on-board timers instead. After all, the “V” in “VIA” stands for “versatile”.

youtube.com/embed/0glEfLZCwmc?…

hackaday.com/2025/11/14/2025-c…

We always enjoy [History Guy]’s musing on all things history, but we especially like it when his historical stories intersect with technology. A good example was his recent video about a small secret group during the Second World War that deployed to the European Theater of Operations, carrying out secret missions. How is that technology related? The group was largely made of scientists. In particular, the team of nineteen consisted of a geographer and an engineer. Many of the others were either fluent in some language or had been through “spy” training at the secret Military Intelligence Training Center at Camp Ritchie, Maryland. Their mission: survey Europe.

We are spoiled and enjoy several different GPS systems that can pinpoint our position quickly and easily, but that’s a modern invention. In the old days, everything came down to a geodetic reference point, usually an iron rod or some form of marker with a well-known position. Using surveying equipment, you could position other locations by referring to the reference points.

You might think that the exact location of a city isn’t that important if you are invading it. But, as the [History Guy] points out, sending artillery over the horizon being off even a little bit can have disastrous consequences. Of course, other countries had good references, but they were often not made available for obvious reasons.

The Army sent out a call for “geodesists.” They found Floyd Huff, a Civil Engineer with the requisite experience. They made him a major, and he led a secret band through liberated areas right behind the front line. They carried about 1,800 pounds of cameras and a database of both what was known and locations like libraries and schools that might have enemy geodetic data.

It paid off. Between talking to captured soldiers, finding sympathetic academics, and finding bombed-out libraries, they were able to use their cameras to make microfilm to get better data to the front lines immediately. They even found the entire database from the German Army, but had to mount a significant operation to secure it before the Russians took over the city. They even captured high-tech equipment the Germans used to change aerial photographs into topological maps.

Some of the techniques these secret scientists developed have had far-reaching consequences on mapping. The video explains it, and, as usual, it is fun to watch and educational. If you prefer to read, you might enjoy this older article from The Smithsonian.

Like many secret agents, they aren’t well known because — well, you know — they work in secret. Huff is featured in the — we aren’t making this up — National Geospatial Intelligence Hall of Fame.

With modern tech, it is easy to forget what a technical accomplishment it is to know exactly where things are. Of course, GPS is supremely complicated, but not for us, its users.

youtube.com/embed/l6ciUozP2vI?…

hackaday.com/2025/11/14/wwii-s…

It’s a wet November evening across Western Europe, the steel-grey clouds have obscured a rare low-latitude aurora this week, and Elliot Williams is joined by Jenny List for this week’s podcast. And we’ve got a fine selection for your listening pleasure!

The 2025 Component Abuse Challenge has come to an end, so this week you’ll be hearing about a few of the entries. We’ve received an impressive number, and as always we’re bowled over by the ingenuity of Hackaday readers in pushing parts beyond their limits.

In the news is the potential discovery of a lost UNIX version in a dusty store room at the University of Utah, Version 4 of the OS, which appeared in 1973. Check out your own stores, for hidden nuggets of gold. In the hacks, we have two cameras at the opposite end of the resolution spectrum, but sharing some impressive reverse engineering. Mouse cameras and scanner cameras were both a thing a couple of decades ago, and it’s great to see people still pushing the boundaries. Then we look at the challenge of encoding Chinese text as Morse code, an online-upgraded multimeter, the art of making lenses for an LED lighting effect, and what must be the best recreation of a Star Wars light sabre we have ever seen. In quick hacks we have a bevvy of Component Abuse Challenge projects, a Minecraft server on a smart light bulb, and a long term test of smartphone battery charging techniques.

We round off with a couple of our long-form pieces, first the uncertainties about iRobot’s future and what it might mean for their ecosystem — think: cheap hackable robotics platform! — and then a look at FreeBSD as an alternative upgrade path for Windows users. It’s a path not without challenges, but the venerable OS still has plenty to give.

As always, you can listen using the links below, and we’ve laidout links to all the articles under discussion at the bottom of the page.

html5-player.libsyn.com/embed/…

Download our finest MP3 right here.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 345 Show Notes:

News:

• Component Abuse Challenge
• Have They Found A Complete UNIX V4?

What’s that Sound?

• Think you know what the sound is? Put your metaphorical two cents in here.

Interesting Hacks of the Week:

• Camera Capabilities Unlocked From A Mouse
  
  • Optical Mouse Based Scanner
  • DIY Optical Sensor Breakout Board Makes DIY Optical Mouse

  
  

• Medium Format, 3 GigaPixel Camera Puts It All On The Line (Sensor)
• Morse Code For China
  
  • UTF-8 Is Beautiful
  • UTF-8 – “The Most Elegant Hack”
  • Reproduced And Recovered: The First Chinese Keyboard-based MingKwai Typewriter

  
  

• Screen-Accurate Lightsaber As A Practical Effect
• Cheap Multimeter Gets Webified
• An LED Projector As A Lighting Effect

Quick Hacks:

• Elliot’s Picks:
  
  • RP2040 From Scratch: Roll Your Own Dev Board Magic
  • Running A Minecraft Server On A WiFi Light Bulb
  • Nest Thermostat: Now 100% Less Evil
  • Testing Whether Fast Charging Kills Smartphone Batteries, And Other Myths

  
  

• Jenny’s Picks:
  
  • 2025 Component Abuse Challenge: Dawg Gone LED Tester
  • 2025 Component Abuse Challenge: Glowing Neon From A 9 V Relay
  • 2025 Component Abuse Challenge: The Slip Ring In Your Parts Bin
  • Have A Slice Of Bumble Berry Pi

  
  

Can’t Miss Articles:

• If IRobot Falls, Hackers Are Ready To Wrangle Roombas
• Moving From Windows To FreeBSD As The Linux Chaos Alternative

hackaday.com/2025/11/14/hackad…

Molti di noi sono cresciuti con Hiroshi Shiba, di Jeeg robot d’acciaio che parlava con il defunto padre, il Professor Senjiro Shiba, scienziato e archeologo all’interno di un grande elaboratore.

In un futuro distopico – ma molto vicino – le persone defunte potranno parlare con i defunti, che saranno archiviate e indicizzate in un grande “archivio delle anime*, come una grande Wayback machine, ma per i defunti.

Lo scandalo dei “fantasmi” digitali è divampato di nuovo. Nel 2020, Kanye West regalò a Kim Kardashian un ologramma del suo defunto padre, Rob Kardashian, per il suo compleanno: all’epoca, questo gesto sembrò un regalo futuristico riservato solo alle celebrità.

Ora, diversi anni dopo, il mondo dell’intelligenza artificiale si sta muovendo con sicurezza verso un futuro in cui queste cose saranno accettate come parte della vita quotidiana.

La startup di Los Angeles 2Wai ha scatenato un’ondata di polemiche dopo aver lanciato un’app che permette agli utenti di creare avatar digitali interattivi di parenti defunti. L’azienda ha fatto subito notizia: il co-fondatore Calum Worthy ha pubblicato un video che è diventato virale sui social media nel giro di poche ore.

In questo video, una donna incinta parla al telefono con un’incarnazione artificiale della sua defunta madre. La scena fa poi un salto in avanti di dieci mesi: la “nonna” digitale legge una favola della buonanotte al bambino. Qualche anno dopo, il bambino, ormai scolaretto, discute con lei della strada per tornare a casa. La scena finale mostra un uomo adulto che informa la sua parente virtuale che diventerà bisnonna.

Sullo schermo appare lo slogan: “Con 2Wai, tre minuti possono durare per sempre”. Worthy, nei commenti, ha affermato che la sua azienda sta creando un “archivio vivente dell’umanità”, un social network basato sugli avatar. Ha anche formulato la principale domanda retorica del progetto: “E se le persone che abbiamo perso potessero far parte del nostro futuro?”

L’app è ora disponibile sull’App Store. Permette agli utenti di creare un cosiddetto HoloAvatar, un sosia digitale che, secondo gli sviluppatori, “ti assomiglia e parla come te, e condivide i tuoi ricordi“. Worthy ha incoraggiato gli utenti a provare la versione beta e ha sottolineato che una versione per Android sarà disponibile in seguito.

Gli utenti dei social media hanno immediatamente tracciato un parallelo con l’episodio “Return to Me” di Black Mirror, in cui una donna crea una copia IA del suo partner defunto e perde gradualmente il contatto con la realtà. Molti commentatori hanno definito il video di 2Wai un “incubo a occhi aperti“, una “tecnologia demoniaca” e hanno persino chiesto che tale tecnologia venisse “distrutta“.

La scena in cui un bambino instaura un legame emotivo con una versione digitale della nonna ha causato particolare tensione, sollevando preoccupazioni sul fatto che tali servizi possano distorcere la memoria, il dolore e il concetto stesso di relazioni familiari.

I sostenitori del progetto, al contrario, lo vedono come un modo per preservare la voce , il modo di parlare e le storie personali dei membri della famiglia per i decenni a venire. Vedono la tecnologia come un’opportunità per tramandare i ricordi di generazione in generazione.

Ma per ora, il dibattito rimane estremamente polarizzato. Alcuni credono che tali servizi inaugureranno una nuova forma di memoria digitale. Altri ritengono che questi deepfake rischino di offuscare il confine tra memoria e simulazione, oltre ad avere un impatto negativo sulla salute mentale degli individui.

Come dimostra la reazione al video, la società non ha ancora deciso dove tracciare il confine tra eredità digitale e interferenza con i sentimenti umani. Ma una cosa è chiara: l’intelligenza artificiale sta sempre più invadendo la sfera intima e tali strumenti solleveranno inevitabilmente nuove questioni psicologiche ed etiche per la società.

L'articolo La Wayback Machine “delle anime” sta per arrivare. E anche le polemiche proviene da Red Hot Cyber.

Let’s talk about LANDFALL. That was an Android spyware campaign specifically targeted at Samsung devices. The discovery story is interesting, and possibly an important clue to understanding this particular bit of commercial malware. Earlier this year Apple’s iOS was patched for a flaw in the handling of DNG (Digital NeGative) images, and WhatsApp issued an advisory with a second iOS vulnerability, that together may have been used in attacks in the wild.

Researchers at Unit 42 went looking for real-world examples of this iOS threat campaign, and instead found DNG images that exploited a similar-yet-distinct vulnerability in a Samsung image handling library. These images had a zip file appended to the end of these malicious DNG files. The attack seems to be launched via WhatsApp messaging, just like the iOS attack. That .zip contains a pair of .so shared object files, that are loaded to manipulate the system’s SELinux protections and install the long term spyware payload.

The earliest known sample of this spyware dates to July of 2024, and Samsung patched the DNG handling vulnerability in April 2025. Apple patched the similar DNG problem in August of 2025. The timing and similarities do suggest that these two spyware campaigns may have been related. Unit 42 has a brief accounting of the known threat actors that could have been behind LANDFALL, and concludes that there just isn’t enough solid evidence to make a determination.

Not as Bad as it Looks

Watchtowr is back with a couple more of their unique vulnerability write-ups. The first is a real tease, as they found a way to leak a healthy chunk of memory from Citrix NetScaler machines. The catch is that the memory leak is a part of an error message, complaining that user authentication is disabled. This configuration is already not appropriate for deployment, and the memory leak wasn’t assigned a CVE.

There was a second issue in the NetScaler system, an open redirect in the login system. This is where an attacker can craft a malicious link that points to a trusted NetScaler machine, and if a user follows the link, the NetScaler will redirect the user to a location specified in the malicious link. It’s not a high severity vulnerability, but still got a CVE and a fix.

Worse than it Looks

And then there’s the other WatchTowr write-up, on Monsta FTP. Here, old vulnerabilities continue to work in versions released after the fix. The worst one here is an unauthenticated RCE (Remote Code Execution) that can be pulled off by asking the server nicely to connect to a remote SFTP server and download a file. In this case, the specified path for saving that file isn’t validated, and can be written anywhere to the Monsta FTP filesystem. Instant webshell. This time it did get fixed, within a couple weeks of WatchTowr sending in the vulnerability disclosure.

Imunify AV

Antivirus software Imunify just fixed an issue that threatened a few million servers. Imunify is an antivirus product that scans for malicious code. It sounds great. The problem is that it worked to deobfuscate PHP code, by calling an executeWrapper helper function. The short explanation is that this approach wasn’t as safe as had been hoped, and this deobfuscation step can be manipulated into running malicious code itself. Whoops.

Patchstack reported on this issue, and indicated that it had been publicly known since November 4th. Patches have since been issued, and a simple message has been published that a critical security vulnerability has been fixed. There is a PoC (Proof of Concept) for this vulnerability, that would be trivial to develop into a full webshell. The only challenge is actually getting the file on a server to be scanned. Either way, if your servers run Imunify, be sure to update!

IndonesianFoods

There’s another NPM worm on the loose, and this one has quietly been around for a couple years. This one is a bit different, and the “malicious” packages aren’t doing anything malicious, at least not by default.

[Paul McCarty] first spotted this campaign, and gave it the name “IndonesianFoods”, inspired by the unique names the fake packages were using. It appears that a handful of malicious accounts have spent time running a script that generates these fake packages with unique names, and uploads them to NPM. Downloading one of these packages doesn’t run the script on the victim machine, and in fact doesn’t seem to do anything malicious. So what’s the point?

Endor Labs picked up this thread and continued to pull. The point seems to be TEA theft. That’s the Blockchain tech that’s intended to reward Open Source project and contributions. It’s yet another abuse of NPM, which has had a rough year.

Rusty Sudo

Canonical made a bold decision with Ubuntu 25.04, shipping the uutils Rust rewrite of coreutils and sudo-rs. That decision was controversial, and has proven to be a cause of a few issues. Most recently, the sudo-rs utility has made news due to security vulnerabilities. We know the details on a few of the issues fixed in this update of those, CVE-2025-64170. It’s a quirk when a user types a password into the prompt, but never presses return. The prompt times out, and the typed characters are echoed back to the terminal.

Another issue doesn’t have a CVE assigned yet, but is available as a GitHub Security Advisory, and the patch is published. This one has the potential to be an authentication bypass. Sudo has the feature that tracks how long it has been since the user has last authenticated. The flaw was that this state was leaking between different users, allowing a login by one user to count as a login for other users, allowing that password skip.

Bits and Bytes

And finally, there’s a bit of good news, even if it is temporary. Google has taken action against one of the larger SMS scam providers. The group operates under the name Lighthouse, and seems to use normal cloud infrastructure to run the scams, simply flying under the radar for now. Google has combined legal action with technical, and with any luck, law enforcement can join in on the fun.

hackaday.com/2025/11/14/this-w…

Europe stands at perhaps the most difficult crossroads of recent times, a tough call to make between social welfare and stabilizing fiscal balance. On 4 November 2025, the IMF issued a warning, citing the deep fiscal troubles the EU is facing and how the situation is likely to worsen if immediate and more decisive steps are not taken. The rising debt levels, which could double to 140% by 2040, as suggested by the IMF, pose an imminent threat to disturbing the existing fragile balance between revenue and expenditure. Funding various social schemes, including pensions, unemployment benefits, healthcare, and education, has long been a mainstay of government policies across the EU. Now, the IMF calls for a re-evaluation of those spending policies. The message is clear: harsh measures are crucial now to have a better future. Across Europe, governments have already joined the austerity drive. For the last 18 months, the EU has been experimenting with various ideas as part of a strict fiscal policy aimed at restoring the budgetary balance. Below is a list of measures adopted across the EU countries:

• Raising the statutory retirement age.
• Freezing or delaying pension indexation.
• Limiting the duration of unemployment benefits.
• Reducing public-sector wage growth or hiring.
• Cutting healthcare and education budgets.
• Phasing out early-retirement schemes.
• Increasing consumption or environmental taxes.
• Reducing energy or transport subsidies.
• Capping family and housing support payments.
• Restricting public investment spending.

These measures have either been implemented/approved, or are currently under parliamentary debate. As policymakers adjust the policy machinery to cope with an impending economic peril, implementations are faced with a formidable opposition from the affected groups. In fact, over the last two months, a wave of rising resentment has been evident. Belgium, France, Germany, Italy, and more have all witnessed nationwide strikes, and many more are likely to follow.

Although cutting public spending might seem like a straightforward solution to rectify the current fiscal imbalance from the government’s perspective, the situation is not entirely linear. Cutting public funding, such as pensions, social benefits, or unemployment funds, reduces the disposable income of the impacted groups. Low disposable income means lower consumer demand. With demand spiraling downward, supply needs to be downsized as well, following a fundamental economic principle that matches market demand. As a result, businesses respond with layoffs, further reducing tax revenues and pushing up unemployment levels. In short, economies can face a self-perpetuating cycle that widens inequality and, even worse, triggers an economic recession (something the world witnessed in the 1930s – The Great Depression).

Furthermore, a reduction in expenditure on human infrastructure, whether in health or education, has a long-term negative impact on the economy. The immediate effect could be a robust balance sheet and good fiscal ratios. In the longer run, it weakens the foundation for sustainable growth, something which the EU stands for and identifies with. Decline in human capital, lack of innovation and global competitiveness, brain drain, social inequality, and other issues are a few notable consequences. Excessively rigid austerity measures, in a way, can undermine growth and social cohesion.

The IMF’s warning, therefore, should not be examined in a single dimension. Instead of treating it as a call to cut, it can be perceived as an invitation to rethink how Europe balances its books while safeguarding its people.

The solution lies in achieving a balance:

According to Friedrich Ebert Stiftung’s “Alternative to Austerity”, if fiscal strategies are growth-oriented, rather than simply focusing on cutting expenditure, a balance can be reinstated without impacting the welfare. Budgetary discipline will have to be achieved through the use of a balanced mix of responsible budgeting and investing public funds wisely. Pumping investments into areas such as infrastructure, education, and green technology can help countries build strong and sustainable economies, as well as secure their futures. These investments can help create more jobs, improve skills, and support long-term growth. It also calls for a fairer tax system where the wealthy and large companies contribute more, reducing the pressure on working families.

The problem the EU is facing at this moment goes beyond the budget. The challenge is about protecting fairness and dignity. Financial discipline should always go hand-in-hand with social justice.

The goal should not be to weaken the social support systems people depend on, but to strengthen and make them more sustainable, so that growth and fairness work together, rather than against each other.

Reference Links:

politico.eu/article/police-cla… | archive.ph/pYghC

euronews.com/2025/09/24/french… | archive.ph/JetNb

berlintoday.com/public-sector-… | archive.ph/8ZdCM

european-pirateparty.eu/are-eu…

In a recent blog post Google announced that the early access phase of its Android Developer Verification program has commenced, as previously announced. In addition to this new announcement Google also claims to be taking note of the feedback it has been receiving, in particular pertaining to non-commercial developers for whom these new measures are incredibly inconvenient. Yet most notable is the ’empowering experienced users’ section, where Google admits that to developers and ‘power users’ the intensive handholding isn’t required and it’ll develop an ‘advanced flow’ where unverified apps can still be installed without jumping through (adb) hoops.

What this new option will look like, and how it’ll differ from the current warning pop-up when installing an APK not via the Play Store remains to be seen. Either way, it highlights the impossible balance that Google is trying to strike between a simultaneously open ecosystem and a high-security one. A problem with a central software repository is that while it does provide a lot of convenience for end users, ensuring that all software in it is vetted and safe is a tough one.

In the case of something like the Debian or FreeBSD software repositories, these are quite locked down and with no random developer getting their software in without some serious work, whereas the very open NPM and Python repositories are practically overrun with malware. Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind. The problem here being of course that this is trying to fix a social engineering issue with technology, which only gets you so far and risks immense damage in the process.

For developer types, Google still only distinguishes between commercial developers and students/hobbyists, with the latter developing for a ‘small group’, making one wonder how OSS software with potentially very large userbases will be treated. Will they have to go through the whole ‘submit government ID scan’ and publishing of personal contact information on the app details page, same as for a commercial app?

Either way, it seems like good progress at least that the option of distributing APKs via alternate app stores as well as places like GitHub will be preserved. Telling users to just mash the ‘Ok’ button a few times on scary dialogs is significantly more straightforward than instructing them on how to push your app onto their Android device via adb would be. In fact, most users probably won’t need any special encouragement to do so.

hackaday.com/2025/11/14/androi…

L’intelligenza artificiale è stata la tendenza più importante degli ultimi anni mentre i prezzi delle azioni dei giganti tecnologici legati all’intelligenza artificiale sono saliti alle stelle. NVIDIA ha superato la soglia dei 5 trilioni di dollari di capitalizzazione di mercato, diventando un punto di riferimento per il mercato rialzista dell’intelligenza artificiale negli Stati Uniti e persino nel mondo.

Tuttavia, il dibattito sull’eventualità che l’intelligenza artificiale sia una bolla è proseguito e si è intensificato la scorsa settimana, con i suoi effetti che hanno iniziato a farsi sentire.

Il prezzo delle azioni NVIDIA è sceso per diversi giorni consecutivi. Non solo NVIDIA ha subito un calo, ma anche altri giganti della tecnologia non sono stati risparmiati: Google è scesa assieme a Broadcom e Tesla.

Qualche giornata fa si è visto un bagno di sangue tra i giganti della tecnologia statunitense, in particolare i giganti dei chip di memoria basati sull’intelligenza artificiale, con SanDisk in calo del 16% e Seagate e Western Digital in calo di oltre il 10% in due giorni.

Anche i fondi correlati hanno percepito per primi il cambiamento di rotta. Il SoftBank Group di Masayoshi Son aveva già venduto tutte le sue azioni NVIDIA entro la fine di ottobre, realizzando un profitto di 5,8 miliardi di dollari.

Anche Bridgewater Associates, il più grande hedge fund al mondo, ha ridotto significativamente le sue partecipazioni in NVIDIA entro la fine di settembre, detenendo solo 2,51 milioni di azioni, con un netto calo del 65,3% rispetto ai 7,23 milioni di azioni alla fine del secondo trimestre. Al contrario, Bridgewater aveva appena aumentato le sue partecipazioni in NVIDIA del 150% nel secondo trimestre.

Il mercato dell’intelligenza artificiale, che da tre anni è in notevole espansione, sta subendo un chiaro raffreddamento, dato che i maggiori venditori allo scoperto negli Stati Uniti hanno da poco iniziato a cedere azioni di NVIDIA.

Il mercato è attualmente in attesa di quella che sembra un’eternità: il report sugli utili del terzo trimestre di NVIDIA, la cui pubblicazione è prevista per il 19.

Se i risultati continueranno a crescere, l’intelligenza artificiale probabilmente guiderà la ripresa del mercato azionario. Tuttavia, se le prestazioni saranno inferiori alle aspettative, l’intelligenza artificiale avrà ovviamente bisogno di qualche aggiustamento.

L'articolo Il mercato dell’intelligenza artificiale in crisi: NVIDIA e altri giganti tecnologici in calo proviene da Red Hot Cyber.

Per la soggettazione del fascicolo n. 3-2025 della Bibliografia Nazionale Italiana, serie Monografie, abbiamo introdotto nel Thesaurus del Nuovo soggettario i seguenti nuovi termini di soggetto:

• Arte camerunese IT 2025-2594
• Cinema polacco IT 2025-2732
• Detriti spaziali IT 2025-2448
• Diorami IT 2025-2659
• Educazione finanziaria IT 2025-2279
• Gnatologia IT 2025-2535
• Reti bayesiane IT 2025-2542
• Tarì IT 2025-2281

Per i fascicoli precedenti rimandiamo alla pagina BNI dedicata.

L'articolo BNI notizie 3-2025 proviene da Biblioteca nazionale centrale di Firenze.

È stata scoperta una vulnerabilità nell’ecosistema di hosting Linux: lo scanner malware ImunifyAV è risultato vulnerabile all’esecuzione di codice remoto ( RCE ).

Il problema riguarda il componente AI-Bolit integrato in Imunify360, nella versione a pagamento ImunifyAV+ e nella versione gratuita ImunifyAV. Una correzione è stata rilasciata a fine ottobre, ma la vulnerabilità non è ancora stata identificata e non ci sono raccomandazioni per la scansione alla ricerca di segni di hacking.

Patchstack ha pubblicato informazioni sulla falla in questione. Secondo l’azienda, la falla risiede nella logica utilizzata per decomprimere i file PHP offuscati durante l’analisi di contenuti sospetti. AI-Bolit ha richiamato le funzioni PHP estratte dai file offuscati senza verificarne la validità. Grazie all’utilizzo del costrutto call_user_func_array senza filtraggio dei nomi, sono state eseguite funzioni arbitrarie a livello di sistema, exec, shell_exec, passthru, eval e altri. Ciò ha creato una piattaforma sul server per attacchi sofisticati in grado di prendere il controllo del sito web e, con privilegi di scansione avanzati, di ottenere il potenziale controllo sull’intera macchina.

Sebbene la deoffuscamento attivo sia disabilitata nella versione standalone di AI-Bolit, l’integrazione dello scanner con Imunify360 la abilita. Questo vale per l’analisi in background, la scansione su richiesta, le scansioni definite dall’utente e le scansioni accelerate, creando le condizioni necessarie per lo sfruttamento. Patchstack ha mostrato un esempio funzionante: è sufficiente creare un file PHP pre-impostato in una directory temporanea. Dopo aver analizzato questo oggetto, lo scanner eseguirà un comando dannoso.

La popolarità di ImunifyAV rende il problema diffuso: la soluzione è integrata nel pannello cPanel/WHM, è utilizzata attivamente nelle installazioni server ed è presente su qualsiasi hosting standard con protezione Imunify360. Secondo i dati dell’azienda di ottobre 2024 , questa suite di strumenti opera silenziosamente dietro le quinte su 56 milioni di siti web e il numero di installazioni di Imunify360 supera le 645.000.

CloudLinux ha annunciato il rilascio delle patch e ha raccomandato agli amministratori di eseguire l’aggiornamento alla versione 32.7.4.0, incluse le vecchie installazioni di Imunify360 AV, a cui le patch sono state migrate il 10 novembre.

La nuova versione implementa una whitelist di funzioni sicure che impedisce l’esecuzione di codice PHP non autorizzato durante il processo di deoffuscamento. Ciononostante, l’azienda non ha ancora fornito istruzioni per l’identificazione di possibili compromissioni né ha confermato la presenza di attacchi attivi.

L'articolo Un bug nell’Antivirus ImunifyAV porta alla RCE. Sono 56 milioni i siti a rischio proviene da Red Hot Cyber.