ExifToolに、画像メタデータ経由でmacOS上の任意コマンドを実行できる重大脆弱性CVE-2026-3102が見つかった。写真ファイルへ悪性コードを埋め込むだけで、トロイの木馬展開や情報窃取が可能になる危険がある。 問題はmacOS向け処理「SetMacOSTags」に存在する。ExifToolは画像の作成日時情報を処理する際、「MDItemFSCreationDate」を内部タグ「FileCreateDate」へ変換するが、この値が適切にサニタイズされずsystem()へ渡されていた。 攻撃者は単一引用符を含む細工済みメタデータを画像へ埋め込み、ExifToolの「-n」オプションを利用して検証を回避する。その後「-tagsFromFile」で汚染データをFileCreateDateへコピーさせると、macOSの「/usr/bin/setfile」呼び出し時に任意シェルコマンドが実行される。 Kaspersky GReATは2026年2月に問題を発見し、悪用されればトロイの木馬展開、データ窃取、社内ネットワーク横展開まで可能だと警告している。特に画像処理、報道、資産管理などmacOS環境でExifToolを自動利用する組織は高リスクとされる。 ExifTool 13.50では、文字列連結型system()呼び出しを安全な引数リスト方式へ変更することで修正された。利用組織には最新版更新、古い組み込みExifTool探索、未信頼画像の隔離処理が推奨されている。 cybersecuritynews.com/exifto…

Kaspersky discovers critical ExifTool flaw (CVE-2026-3102) enabling command injection via malicious image metadata on macOS 🇺🇸. Attackers can achieve RCE by embedding shell commands in EXIF data, then copying to FileCreateDate tag. Key technical details: • Affects ExifTool v13.49 and earlier on macOS systems only • Exploits unsanitized $val parameter in SetMacOSTags function's system() call • Requires -n flag (raw output mode) and -tagsFromFile feature to trigger vulnerable code path • Attack vector: inject single quotes in DateTimeOriginal tag, copy to FileCreateDate via `-tagsFromFile` operation • Bypasses PrintConvInv filter validation through raw value processing Attack methodology: • Craft malicious image with command injection payload in EXIF DateTimeOriginal field • Use `exiftool -n -tagsFromFile malicious.jpg "-FileCreateDate<DateTimeOriginal" target.jpg` • Payload executes when /usr/bin/setfile command processes unsanitized date string • Enables arbitrary command execution with user privileges DFIR artifacts: • Monitor /usr/bin/setfile process creation with unusual parent processes • Check ExifTool command line arguments for -n and -tagsFromFile flags • Examine EXIF metadata in suspicious images for non-standard datetime formats containing shell metacharacters Update to ExifTool v13.50 immediately. Hunt for `exiftool -n -tagsFromFile` in command history and process logs. #DFIR_Radar

AI drags the mt4 tick data down, analyses it, converts it to whatever TF you wanna test, runs the tests with py, panda, whatever, builds the EA, tests it, spits out a setfile and can give you a winning EA for pennies Do the work then hit the beach 🫶🫶❤️

#3crbot update I had a 💡 lightbulb moment at 3am today, spent all morning and built a new 12 mnth setfile, this is the 36mnth graph and results, NICE slope The idea came from some great fwd tests This is BIG 9 hrs later, Sun's out #beachtime☀️⛱️😎🏊🏊‍♂️ #greenpips ALL❤️

Been working on this setfile all day so far, It's driving me mad The forward live test takes twice the trades the backtest takes Both tests are really profitable I'll rip it apart to sort it #ItsAmystery #BeachTime☀️⛱️😎🏊‍♂️🚶‍♂️🌞

This setfile/graph is a few minutes old, new ideas too Rainy day in VN so I have been at it for abt 15 hrs, no walks or swims, algos are addictive I currently build on 12 months data then run on 36 NOT scalping I love this stuff Greenpips ALL ❤️❤️

This graph is a hot off the press setfile developed this morning I keep thinking up new filters almost daily, also new ways to improve how I optimise them too Huge learning curve for me still but it's all good Meeting many people here sick of the worldwide toxic rat race ❤️🫶

I've done this all ass backwards but moving to Asia has been fantastic Manual trades done b4 the UK goes to bed I built a website to catalogue all the setfiles Numbers again, if 1 setfile on a website is worth $50 after a yr of 2 a day you have over 700 $50 products online

This is a 3 yr graph from a random setfile I produced while I was posting todays tweets Optimised for 12 months, run on 36 months data Oct 2022 to Nov 2025 Built to stay within most prop firms rule, 5% max dd

This is the 16 month backtest, It's an old original inferior setfile, massive improvements on the way. Gold m5. #3crbot

Not done this for a while I added an extra zero to one of the setfile parameters by mistake Pretty impressive curve #3crbot

This was a pre-swim 3crbot setfile today, so sexy m1 gold etc

Same setfile, June 24th 2024 to Oct 17th 2025

Rainy day means more work I surprised myself today, I've built about 100 unique m1 setfiles so far this month, only got one fwd testing so far, I ran out of setfile energy last week and focussed on building a way to share some of them WIP This is a random 6 mnth m1 bktest

This new setfile caught the gold move much earlier than all my other setfiles today #3crbot improvements BOOM

Hot off the press #3crbot setfile, built on 5 months data then run on 16 months I'm not curve fitting them at all Probaly just a few weeks until you can have a play yourselves, things are moving faster now. m1 again

I only built this new #3crbot setfile 15 mins ago 500% since June 24th 2024 to Oct 2025 WIP #Beachtime again 🏊‍♂️🌤️⛱️🌞😍

#Swimthoughts For realism, again not cherry picked This #3crbot brand new m1 setfile doubled £1000 in 3 months, july 7th 2025 to Oct 10th 2025

This was only ever meant to be a retirement hobby As always I got a bit over excited, I am trying to step back a little However #3crbot is going gangbusters, the more I think (swim,walk), the more I learn, AI is amazing FYI Hoping to make setfile subs frm abt $40 pcm

A scruffy setfile but one of a dozen I built already today and it's not even 6am yet It occurred to me last night that every new setfile I build, just one like this one creates at least 50, maybe even 100s of hrs work fulfil it's potential I feel blessed to play & work so hard