code Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

Winsage

June 25, 2026

Making Windows a developer platform, again

Setting up a PC with the base Dev Config has been streamlined for developers, utilizing the Winget configuration service to install applications, execute updates, and apply developer settings on Windows. Users can access setup scripts by cloning a GitHub repository or downloading a zip archive, with clear instructions provided by Microsoft. The installation may require a reboot during the Windows Subsystem for Linux (WSL) installation, but the script resumes automatically afterward. The process installs applications such as PowerShell, Git, GitHub command-line interfaces, Windows App SDK, Visual Studio Code, and language support for Node.js, Python, and .NET. It also includes developer-friendly fonts and a theme engine for Windows Terminal, along with options for customizing File Explorer and the Windows Task Bar. After WSL installation, developers can use WSL Comfort scripts to install additional tools and personalize their Windows Terminal experience. This utility has two phases: the Windows component configures WSL and Ubuntu, while the Linux component fine-tunes the WSL environment, allowing for zsh and starship terminal display tools. It also integrates popular command-line interfaces and supports the Homebrew package installer, targeting existing Ubuntu instances without needing a new Linux distribution installation.

AppWizard

June 25, 2026

Rockstar Games Announces Pre-Orders for Grand Theft Auto VI

Rockstar Games has announced that pre-orders for Grand Theft Auto VI will begin at midnight local time on June 25, 2026, ahead of the official launch on November 19, 2026. The game will retail for .99 and will be available for PlayStation 5 and Xbox Series X|S. An Ultimate Edition will be available for .99, featuring exclusive content. Pre-orders made before November 20, 2026, will include the Vintage Vice City Pack and digital pre-orders will come with a complimentary month of GTA+. Preloading for digital versions will start on November 12, 2026, and physical editions will also be released on that date, including a download code. The game will be available on the PlayStation Store, Microsoft Store, Rockstar Games Store, and various global retailers.

AppWizard

June 24, 2026

Sorry, Xbox fans: GTA 6 “will play best on PS5,” Sony declares, but with no PC version in sight, I can’t say I’m surprised

Sony claims that Grand Theft Auto 6 will provide its best experience on the PlayStation 5, with pre-orders starting at midnight in various time zones. Rockstar Games has released information about the game, including pricing and details about the GTA 6 Ultimate Edition, noting that physical copies will only contain a code and that GTA Online will not be available at launch. Mary Yee, Senior Vice President of Marketing at SIE, stated that "Grand Theft Auto 6 plays best on PS5" and highlighted the PS5's advanced hardware capabilities, including the DualSense controller and 3D audio technology. European retailers have suggested that the game may feature performance and quality modes, although skepticism exists regarding these claims.

Winsage

June 24, 2026

A bunch of bugs that broke PowerToys have been squashed

PowerToys has updated to version 0.100.1, fixing critical bugs from version 0.100.0 that affected core features. - Color Picker: Resolved a bug causing the main window to appear within the zoomed-in picker view. - Command Palette: Corrected initialization of Run history in Ahead-of-Time builds, fixed "???" display in Performance Monitor after restart, adjusted Hibernate command to use the Sleep icon, and limited "pin to dock" dialog to enabled displays. - Keyboard Manager: Addressed remapped modifier keys being delivered as system-key events. - Power Display: Fixed monitor power-state control not waking monitors from standby and resolved display detection and brightness control issues on dual-GPU laptops. - PowerToys Run: Improved discovery of Visual Studio Code workspaces. - Quick Access: Fixed crashes in the Quick Access flyout due to unhandled XAML exceptions. - Shortcut Guide: Resolved a crash in the sidebar navigation, corrected number-key rendering in shortcut manifests, and updated bundled manifests for consistent rendering. - ZoomIt: Fixed a race condition in audio initialization for video recording.

AppWizard

June 24, 2026

I finally found the best personal knowledge management tool on Android after years of switching back and forth

The author explored various personal knowledge management (PKM) tools on Android and initially avoided Obsidian due to dissatisfaction with its earlier mobile app versions, which felt cramped and outdated. However, after revisiting the redesigned Obsidian app, they appreciated its modern user interface and improved usability. Obsidian's use of plain Markdown files allows for better file management and future-proofing of notes. The app supports both quick capture of ideas and deeper exploration through linking notes and creating a cohesive knowledge base. Features like Quick Note, Daily Note widget, and Graph View enhance its functionality. Data syncing requires some setup, with options for Obsidian Sync or third-party solutions. Ultimately, Obsidian stands out as a customizable and long-lasting PKM tool for the author’s workflow.

Winsage

June 23, 2026

Microsoft Confirms Windows 11 26H2 Update for x86-64 PCs

Microsoft has confirmed the release of the Windows 11 update version 26H2, designed for PCs with x86-64 processors from Intel and AMD. Devices with Qualcomm Snapdragon Elite and NVIDIA RTX Spark processors will receive a separate update. Earlier this year, Windows 11 26H1 was introduced for Windows-on-Arm devices. Windows 11 26H2 is a minor update that shares the same code base as version 25H2, allowing for a seamless transition without a complete system file replacement. The update process is straightforward and will consolidate security and quality updates. Microsoft will provide security updates for Windows 11 versions 24H2, 25H2, and 26H2 for two years. Windows 11 Enterprise LTSC editions will offer stability by locking onto a specific kernel code base for security updates until a future date.

Tech Optimizer

June 23, 2026

Meta pauses controversial employee-tracking program after security review

Meta has suspended its employee-tracking program after an internal security review revealed excessive accessibility to sensitive data collected from staff laptops. The program, part of the Model Capability Initiative (MCI), aimed to gather detailed information on employee interactions with work devices, including mouse movements, click locations, keystrokes, and screen content. Concerns arose regarding the privacy and security of the collected data, which included AI prompts, transcriptions, private conversations, and performance-related information. The initiative faced backlash, particularly after an engineer criticized "laptop surveillance," leading to a petition for its termination. The monitoring software was deployed on US workers’ laptops without an opt-out option, capturing comprehensive behavioral datasets. The situation highlighted significant legal and regulatory challenges, as well as the risks associated with managing sensitive data. Access controls, data minimization, and retention policies are critical to mitigate potential breaches.

Tech Optimizer

June 23, 2026

Active Exploitation of Critical CVE-2026-20253 in Splunk Enterprise: Unauthenticated RCE via PostgreSQL Sidecar Service

A critical security vulnerability, SVD-2026-0603 (CVE-2026-20253), has been identified in Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. This flaw allows unauthenticated, remote attackers to create or truncate arbitrary files on the host system by exploiting the PostgreSQL Sidecar Service endpoints. The vulnerability is actively exploited, with public proof-of-concept code available, and has been added to the CISA Known Exploited Vulnerabilities (KEV) list. Successful exploitation can lead to full remote code execution (RCE) as the Splunk user. The vulnerability arises from inadequate authentication controls on the PostgreSQL Sidecar Service endpoints, specifically /v1/postgres/recovery/backup and /v1/postgres/recovery/restore, which are accessible without authentication. It is classified under CWE-306: Missing Authentication for Critical Function and has a CVSS v3.1 base score of 9.8 (Critical). Attackers can exploit the vulnerability by sending crafted HTTP POST requests to the exposed endpoints, allowing them to create or truncate files and potentially execute malicious scripts. Indicators of compromise include unexpected files in directories such as /tmp/ or /opt/splunk/var/run/supervisor/pkg-run/, modified Splunk Python scripts, and unusual outbound connections from Splunk to unknown PostgreSQL servers. The vulnerability aligns with several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Active exploitation of CVE-2026-20253 has been confirmed, and it is likely that both opportunistic cybercriminals and sophisticated threat actors will use this exploit. The affected versions of Splunk Enterprise are 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6, with the issue resolved in versions 10.2.4 and 10.0.7. Organizations are advised to upgrade to fixed versions or disable the PostgreSQL Sidecar Service as a mitigation strategy.

Tech Optimizer

June 23, 2026

Millisecond Latency at Scale: Why Our ML Feature Store Runs on Snowflake Postgres

Organizations are consolidating their fragmented database environments with Snowflake Postgres, phasing out outdated systems and simplifying multivendor setups without extensive code rewrites. Ericsson migrated four legacy databases to Snowflake Postgres, achieving a 99% reduction in data processing time. SimCorp's transition to Snowflake Postgres resulted in a tenfold increase in disk operation speeds. Sigma Computing provides real-time analytics using Snowflake Postgres, eliminating the need for external systems. BlueCloud supports low-latency transactional workloads and analytics on a single platform. Superblocks enables developers to create full-stack applications using Snowflake CoCo, leveraging SQL tools against live data. Snowflake Postgres is approximately four times faster than Databricks Lakebase and has a 99.95% published uptime SLA. It operates on Postgres 18 and accommodates up to 64 TB of storage, surpassing Lakebase's 16 TB limit. Snowflake Postgres simplifies management with in-place major version upgrades and supports standard logical replication, enhancing flexibility for data movement and integration.