17 August 2025

250817 insider info Critical SharePoint Zero-Day Exploit CVE-2025-53770

250817 insider info Critical SharePoint Zero-Day Exploit CVE-2025-53770

In fact it is not a Zero-Day Exploit.

It was first discovered in April 2014 on old Microsoft SharePoint Server 2010/2013 by me while being global it-security administrator at SAAB-CSC, nowadays SAAB-DX Technology in Linköping, Sweden.

CSC stands for the US company Computer Science Corporation, nowadays DX Technology, included now in HP.
I discovered the exploit while working with SAAB internal SharePoint
 portal on their intranet in April 2014.
I immediately informed the CSC CISO and my ierarchical chief.

Because I was specialized in chasing backdoors and 0-day exploits, my colleagues used to ask me every day in the morning, joking: what else did you crash/discovered today?

There were a lot more discovered in many security products.
But unfortunately, I just did my honest duty to report, and due to the high-security clearances, I was not allowed to make publicly any discovery.

Now after many years, I'm really amazed reading the devastating effect of my 2014 discovery of critical vulnerability in Microsoft SharePoint.
Also amazed by all claiming it is a new zero-day exploit, when in fact it is more than 10 years old, and never patched by Microsoft.

Or intentionally never patched... 

Alike Crypto AG story...

Posted by at

27 December 2021

211227 SwedBank Pay gives free Christmas Presents

 Reference:

https://zenosloim.blogspot.com/2021/09/210930-swedbank-pay-security-flaw.html


It seems that SwedBank is very generous giving to anyone for free, Christmas presents.

Similar security flaw in the SwedBank Pay paying system, makes possible to order/buy anything and paying via SwedBank Pay (PayEx) payment system.

You'll never be invoiced.

The SwedBank Pay (PayEx) was informed about the new security flaw.

Posted by at

17 November 2021

211117 use chemical solvents as antihacking tool

 Use chemical solvents as antihacking tool.

Guaranteed for any Apple, Android, BlackBerry, Windows Phone, Java, Linux, or any other platform using password for log in to access the device or using tokens for OAuth to banking services.


Background: 

Using a password implies using a physical keyboard (ex. BlackBerry) or a virtual keyboard generated on the screen.

Every person has a particular way of making the input of password: timing between individual keystrokes, pressure of individual keystrokes, physiological health - amount of perspiration and fat substances on fingers, resulting in particular amounts of chemical traces left on surface of keyboard (physical or virtual).

Up to day there is no device with virtual keyboard which aleatory generates the geometry (disposal) of the individual tastes (buttons).


UV-analyzers used by enforcement agencies for taking fingerprints can map exactly the areas with specific amount of human perspiration and fat on surface. This identifies exactly which symbols were used in password.


Spectrometers can measure exactly the amount of rests, hence the older of each individual trace. This identifies the succession of the symbols.


So your password is revealed.


More: most token based OAuth for banking services are using only digits, making easier to reveal the password.


How many persons use to use a chemical solvent to wipe the keyboard of their device after use?


So, use a chemical solvent to wipe your keyboard or DO NOT USE A PASSWORD, only fingerprint or iris-recognition for login and banking services.

Posted by at

30 September 2021

210930 SwedBank Pay security flaw

 210930 SwedBank Pay (PayEx) security flaw - Bugg i betalssystemet PayEx från SwedBank


A security flaw was discovered in SwedBank Pay (PayEx) payment system, allowing to buy anything from a customer using the above payment system, without paying in practice, because you will never be invoiced or debted by the bank.

The SwedBank Pay (PayEx) was informed via secured communication about the security flaw, detailed description and how to remedy the security flaw.


Buggfel har upptäckts i betalningssystemet PayEx tillhörande SwedBank, som tillåter att beställa via faktura tjänster och varor från företag som använder SwedBank Pay (PayEx).

Företaget för betalt från SwedBank Pay (köpet blir godkänt via faktura), men själva kunden som handlat blir ej debiterad, utan SwedBank får betala.

SwedBank Pay (PayEx) har informerats via säkrade kanaler om buggen, hur den uppstår och hur kan den korrigeras, med detaljerad information.

Posted by at

05 July 2021

210705 Kaseya or Application Specialist urgently needed

 Recent Kaseya events just remind me of my comment on Solar Winds affair:


https://zenosloim.blogspot.com/2020/12/201222-from-solar-winds-hack-to.html


Well, same story happens again: blind and dumb trust in well-known US software company. 

Or what happens when you cut costs by outsourcing at any price and not using own application specialists.

In Sweden we have full fun: major companies are completely blocked or partially blocked: Coop, SJ...


I remember when working as Application Specialist at SAAB, I provoked rumour when I said that I discovered hidden malware on a CD received from the renowned German company Rohde & Schwarz.

Impossible, absurd...but I was right in my assessment.


Nowadays, being an Application Specialist, is no longer important, who cares to test and reverse engineer/repack updates from Microsoft, Adobe, ... Kaseya, Solar Winds...?


Consequences? Russian hackers become rich on criminal activities and dumb arrogance of chiefs obsessed by cutting costs at any price.


We need Application Specialists in Windows softwares among others, only Linux techies are not enough...:), because advanced filtering firewalls from Israel Check Point are too expensive to be affordable.

Also not anyone is using multi- layered security solutions for email servers and intranet.





Posted by at

03 June 2021

210603 Google Play payment mechanism security issue - any paid app can be downloaded

 210603 Google Play payment mechanism security issue - any paid app can be downloaded


I just discovered a security issue in Google Play payment system, which makes possible for an unauthorized person to download any paid app without payment.

Google was contacted for reporting and correction of the security issue.

Posted by at

19 March 2021

210319 after more than 4 years, Swedish State Authorities react in good direction

 References:

https://zenosloim.blogspot.com/2016/02/it-services-outsourcing-between-cutting.html

https://zenosloim.blogspot.com/2017/07/transportstyrelsen-skandalen.html


Background:

During past years, keyword Outsourcing was the magic key for many Swedish responsibles from both government agencies, state authorities and big private companies.

Cutting costs without long term planning and analysis, became almost a catastrophic way of thinking and a 100% sure way to IT-security incidents and disasters.

Now it seems that many rational analysers have made their point listened and the result is here:

https://sverigesradio.se/artikel/regeringen-lagger-fram-ny-sakerhetslag


"Skärpt säkerhetslag ska skydda känslig information

Publicerat idag kl 10.30

Regeringen föreslår nu ändringar i säkerhetsskyddslagen som ska granskas av lagrådet. 

    Syftet är att hindra att känslig information kommer på avvägar. Till exempel måste myndigheter eller privata företag i vissa fall samråda med Säpo om IT-system ska läggas ut på entreprenad. Det kan gälla verksamhet med kopplingar till förvaret, energiförsörjning, eller telefon- och datanätverk.

    Struntar de i samrådet kan de straffas med en avgift på upp till 50 miljoner kronor."

At last...

Sådana chefer som lägger allt inkl. känslig IT-drift på entreprenad, utan att tänka på konsekvenser, borde också lägga deras eget tjänst på entreprenad, så att någon mer kompetent ersätter dem.





Posted by at
Subscribe to: Posts (Atom)