Apple patched two zero-day vulnerabilities in iPhones, affecting several operating systems, after reports of exploitation in targeted attacks. The flaws, found in CoreAudio and RPAC, allow remote code execution and bypass security features. Users are urged to update their devices immediately. This marks the fifth zero-day fix from Apple this year.
Apple backports zero-day patches to older iPhones and Macs, releasing updates for vulnerabilities CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. Security updates for the latest operating systems address numerous flaws. Users are urged to apply updates promptly to mitigate potential attacks.
Google fixed vulnerabilities that could expose YouTube users' email addresses by chaining YouTube and Pixel Recorder APIs to reveal Google Gaia IDs, enabling identity breaches. Researchers disclosed the issues, noting significant privacy risks for anonymous users. After reporting, Google increased the bounty for the findings and implemented fixes on February 9, 2025.
Microsoft's February 2025 Patch Tuesday includes security updates for 55 vulnerabilities, with 4 zero-day flaws, two of which are actively exploited. Highlights are 19 elevation of privilege and 22 remote code execution vulnerabilities. Specific zero-days addressed include one posing file deletion risks (CVE-2025-21391) and another granting SYSTEM privileges (CVE-2025-21418). Publicly disclosed zero-days include a UEFI bypass (CVE-2025-21194) and NTLM hash disclosure vulnerability (CVE-2025-21377). Additional updates were also released by other companies, such as Adobe and Google.
Apple patched a zero-day vulnerability in iOS and iPadOS exploited in “extremely sophisticated” targeted attacks. The issue, affecting various iPhone and iPad models, potentially allowed misuse of USB Restricted Mode. Users are urged to update their devices to prevent ongoing attacks, as previous zero-days have been linked to spyware targeting high-risk individuals.
Chrome updated to version 132.0.6834.159/160 for Windows, Mac, and Linux on January 28, 2025, with rolling release. Includes 2 security fixes, notably a Medium CVE-2025-0762 bug. Thanks to researchers for contributions. More details in the Chrome Security Page.
https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_28.html
iOS 18.3 and iPadOS 18.3 security update released January 27, 2025, addresses multiple vulnerabilities affecting recent devices. Key fixes involve potential unauthorized access, denial-of-service risks, and privilege escalation. Each vulnerability is linked to specific CVE-ID, and Apple prioritizes user safety by withholding details until patches are available. For further details, consult the Apple security releases page.
7-Zip patched a high-severity vulnerability (CVE-2025-0411) that allowed attackers to bypass Windows Mark of the Web (MotW) security warnings, enabling code execution by improperly handling nested archives. Users must update to version 24.09 to mitigate this risk, as many may still use vulnerable versions without auto-update.
Microsoft's January 2025 Patch Tuesday addresses 159 vulnerabilities, including 8 zero-days, with 3 actively exploited. Key fixes include 12 critical vulnerabilities affecting remote code execution, information disclosure, and privilege elevation. Notable vulnerabilities include flaws in Windows Hyper-V and Microsoft Access, which could lead to serious security risks. The total comprises 40 elevation of privilege vulnerabilities, 58 remote code execution vulnerabilities, and others across various categories. Other vendors like Adobe, Cisco, and Fortinet also released updates this month.
