New Episode of Security Now: Security Now 1028

In this episode of Security Now, Steve Gibson and Leo Laporte discuss the results of the recent Pwn2Own 2025 hacking contest, the growing vulnerabilities related to SVG images, and the use of AI for vulnerability hunting. They also cover various topics such as the security of newly registered domain names and the implications of patents on security technologies. Pwn2Own 2025 Results: The Pwn2Own 2025 contest, held in Berlin, revealed several critical vulnerabilities in fully patched systems. Steve Gibson highlights that these exploits show how even well-secured systems can be vulnerable. Notable exploits include attacks on Red Hat Linux, Windows 11, and various virtualization environments like Oracle VirtualBox and VMware ESXi. The rewards for these exploits totaled more than one million dollars, underscoring the importance and value of discovering these vulnerabilities. SVG Vulnerabilities: SVG (Scalable Vector Graphics) images are increasingly being used in phishing attacks due to their ability to execute JavaScript. Steve Gibson explains that this feature, built into the SVG format design, poses a significant risk. Attackers can use malicious scripts in SVG images to redirect users to phishing sites or perform other malicious actions. Steve advocates for disabling script execution in SVG images to improve security. AI and Vulnerability Hunting: One of the episode's highlights is the discussion on using AI to discover zero-day vulnerabilities. Steve Gibson presents a case where OpenAI's O3 model discovered a critical vulnerability in the Linux kernel, specifically in SMB protocol management. This discovery shows the potential of AI in improving software security. However, Leo Laporte points out that this capability is a double-edged sword, as it can also be used by malicious actors. Domain Name Security: PayPal has patented a system that analyzes newly registered domain names to detect fraud. This system uses an automated crawler and a payment simulator to identify suspicious redirections. Although this technology is promising, Steve Gibson has reservations about patenting such a method, as it could limit its use by other companies seeking to improve their security. Practical Implications: The episode's discussions have important practical implications for cybersecurity. Companies and developers must be aware of potential vulnerabilities in the systems they use and develop. Using AI for vulnerability hunting can significantly improve software security, but it is crucial to ensure these tools are used ethically. Additionally, disabling script execution in SVG images and proactively analyzing newly registered domain names are concrete measures companies can take to enhance their security. In conclusion, this episode of Security Now provides an in-depth overview of the latest trends and developments in cybersecurity. It highlights the importance of staying vigilant against new threats and adopting proactive practices to protect computer systems.