Internet Explorer can still take over a fully patched Windows machine, years after Microsoft retired it in 2022. The code that ran it was never removed from Windows, and a researcher just turned it into working remote code execution.

The researcher behind it, Igor Sak-Sakovskiy, published the work with Microsoft’s permission. The piece he pulled apart is called the WebBrowser control, the same code that drew web pages in Internet Explorer for decades. It still runs inside programs written in Visual Basic, .NET and C#, the kind of older business software and legacy tools that quietly kept the component alive. One detail makes it stranger. No official Microsoft document says this component is retired or about to be. People treat it as gone, while it keeps running underneath.

A single visit to one website can quietly turn your browser into part of a botnet, and the working code to do it is now still sitting out in the open.

It affects Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and almost every browser built on Chromium. Someone flagged it to Google back in 2022. Google sat on it for almost four years, and then leaked the exploit code itself, by accident, on its own bug tracker.

Your phone, your TV, your router, anything in your home with an internet connection can be put to work crawling the web for the AI industry, and nothing on the device says it is happening. Some of that traffic is harmless scraping. Some of it is not, and it leaves under your IP address either way, so it traces back to you. It’s called a residential proxy.

I came across it through the smart TV story this morning. Researchers had taken apart the software inside some free smart TV apps and found it quietly turns the television into a relay, using the home connection to pull web pages for a data company that resells that access to the AI industry. One question stuck with me. What if it does not stop at one device. So I went digging, and it does not stop there, not by a long way.

Buffer Overflows: The Oldest Way to Take Over a Machine, and How to See It Work on Your Own Lab

Give a running program more data than it was built to hold, and on a lot of systems that extra data does not just get thrown away. It spills into the memory right next to it. And with a little care, that spilled data ends up running as code, with full control over the machine.

A new exploit called HTTP/2 Bomb lets one ordinary home computer take down nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora, the web servers behind a huge share of the internet, in a matter of seconds.

It forces those servers to tie up tens of gigabytes of memory until they stop responding, it abuses the configuration they ship with by default, and when the research went public three of the five still had no patch.

Hackers took over some of the most valuable accounts on Instagram over the weekend by asking Meta’s own AI support bot to hand them the keys, and it agreed without checking whether the person asking actually owned the account. They never cracked a password, sent a phishing link, or got near the victim’s inbox. They opened a support chat, typed a few polite sentences, and walked off with accounts worth hundreds of thousands of dollars.

Six working Windows attacks are sitting in the open right now, three of them already seen in a real intrusion, and the researcher who published them did it after he says Microsoft refused him, deleted the account he reported bugs through, and paid him nothing. Microsoft removed his account, called his actions criminal, and pointed at its crime unit. Both stories are out there, and the security world cannot agree on who is more to blame.

FROST lets a website time your SSD and see which sites and apps you have open, even ones running in a different browser. It needs no malware and nothing to install. Opening the page is all it takes. While you sit there reading whatever the attacker put on screen, the page is quietly measuring how busy your drive is, and from that alone it works out what else you are running.

Dorks Eye finds what was never meant to be public

I created Dorks Eye because I had a question. What if I could do all my dork searching straight from the terminal, fast, and without a browser or ads getting in the way?

That is how it started. The first version searched through Google only. You typed in a dork, the right results came back, and it did exactly what I wanted. Then Google tightened its policy on automated searches, and the tool stopped working. The one thing it was built for, speed and simplicity, was gone. Everything was gone.

Honeypots: Set the Trap, Watch the Attackers, and Know When You Are Standing in One

Put a server on the internet with port 22 open and the first login attempt arrives within minutes, not days. Automated scanners sweep through IPv4 addresses around the clock, and anything with an open port gets added to a target list almost immediately. A honeypot is built to be found exactly like this, because getting found is the point. This post covers what honeypots actually are, what attackers do in the first thirty seconds after getting in, how to set one up and test it, how to recognize one during a pentest, and the advanced setups for when things get serious.