#vulnerabilities

#vulnerabilities

The attack illustrates the extent to which Big Tech relies on open-source software. Without the many contributions of open-source developers, Apple, Amazon, Google, Microsoft, and everyone else would need to invest vast sums in building more of the infrastructure of our digital world.

Apple's iOS 26.4 and iPadOS 26.4 updates include patches for nearly 40 security defects, addressing critical vulnerabilities that could be exploited by malicious actors.

CVE-2025-65717 (CVSS score: 9.1) - A vulnerability in Live Server that allows attackers to exfiltrate local files, tricking a developer into visiting a malicious website when the extension is running, causing JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control. (Remains unpatched)

Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. The two other high-severity defects, tracked as CVE-2026-2314 and CVE-2026-2315, were found and reported by Google and are described as a heap buffer overflow in Codecs and an inappropriate implementation in WebGPU, respectively.

On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online.

Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations. The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba's Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card.

infosec in brief Meta has fixed a flaw in its Instagram service that allowed third parties to generate password reset emails, but denied the problem led to theft of users' personal information. Last Friday, security software vendor Malwarebytes claimed "Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more." The vendor included a screenshot of a password reset email sent to Instagram users.

The most serious, with a CVSS score of 9.8, allows attackers to execute code with SYSTEM privileges without authentication. Organizations should immediately patch to Build 7190. The most dangerous vulnerability, CVE-2025-69258, is a remote code execution vulnerability in LoadLibraryEX. An attacker can load a malicious DLL into a critical part of the system without login credentials. This gives them full control with the highest system privileges. The impact is significant: confidentiality, integrity, and availability are all at stake.