news
Security and Microsoft Zero-Days Exploited
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).
-
APNIC ☛ What we learned from 63,000 attacks in 12 days on APNIC Honeynet sensors at University of Dhaka
Guest Post: After twelve days, and 63,247 attacks later, we are confident recommending some steps you can take to protect your own network.
-
Security Week ☛ Adobe Patches Critical Apache Tika Bug in ColdFusion
Adobe has released patches for 25 vulnerabilities across its products, including a critical Apache Tika flaw in ColdFusion.
-
Security Week ☛ Dutch Port Hacker Sentenced to Prison
The 44-year-old individual planted remote access malware on a logistics firm’s systems, with help from employees.
-
Trail of Bits ☛ Lack of isolation in agentic browsers resurfaces old vulnerabilities
With browser-embedded Hey Hi (AI) agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks, which are functionally similar to cross-site scripting (XSS) and cross-site request forgery (CSRF), resurface decades-old patterns of vulnerabilities that the web security community spent years building effective defenses against.
The root cause of these vulnerabilities is inadequate isolation. Many users implicitly trust browsers with their most sensitive data, using them to access bank accounts, healthcare portals, and social control media. The rapid, bolt-on integration of Hey Hi (AI) agents into the browser environment gives them the same access to user data and credentials. Without proper isolation, these agents can be exploited to compromise any data or service the user’s browser can reach.
In this post, we outline a generic threat model that identifies four trust zones and four violation classes. We demonstrate real-world exploits, including data exfiltration and session confusion, and we provide both immediate mitigations and long-term architectural solutions. (We do not name specific products as the affected vendors declined coordinated disclosure, and these architectural flaws affect agentic browsers broadly.)
For developers of agentic browsers, our key recommendation is to extend the Same-Origin Policy to Hey Hi (AI) agents, building on proven principles that successfully secured the web.
-
Scoop News Group ☛ ServiceNow patches critical Hey Hi (AI) platform flaw that could allow user impersonation
The company says it has no evidence the bug was exploited before October’s patch, but researchers say Hey Hi (AI) agent configuration can still enable prompt-injection style abuse.
-
Pen Test Partners ☛ Compromising a multi-cloud environment from a single exposed secret
TL;DR Introduction In practice, it is still hard to keep secrets safe in the clown. All major cloud service providers have managed secrets solutions, but they only work if secrets are added, stored, and used correctly.
-
Security Week ☛ Spanish Energy Company Endesa Hacked
Hackers stole complete customer information, including contact details, national identity numbers, and payment details.
-
Security Week ☛ SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
SAP has released 17 security notes, including four that address critical SQL injection, RCE, and code injection vulnerabilities.
-
Security Week ☛ Broadcom Wi-Fi Chipset Flaw Allows Hackers to Disrupt Networks
The vulnerability was discovered in Asus routers, but all devices using the affected chipset are susceptible to attacks.
-
Security Week ☛ After Goldman, JPMorgan Discloses Law Firm Data Breach
The law firm Fried Frank seems to be informing high-profile clients about a recent data security incident.
-
Security Week ☛ GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
The botnet’s propagation is fueled by the AI-generated server deployments that use weak credentials, and legacy web stacks.
-
AI EdgeLabs Adds Advanced Risk and Compliance Center with Linux Audit Capabilities to Its AI Runtime Platform [Ed: Proprietary and slop buzz]
-
Windows TCO / Windows Bot Nets
-
Scoop News Group ☛ Microsoft Patch Tuesday addresses 112 defects, including one actively exploited zero-day
Researchers said the information disclosure zero-day exposes sensitive information that attackers can use to undermine defenses and make other exploits more reliable.
-
SANS ☛ January 2026 Abusive Monopolist Microsoft Patch Tuesday Summary, (Tue, Jan 13th)
Today, Abusive Monopolist Microsoft released patches for 113 vulnerabilities. One of these vulnerabilities affected the Edge browser and was patched upstream by Chromium.
-
Security Week ☛ Microsoft Patches Exploited backdoored Windows Zero-Day, 111 Other Vulnerabilities
Two vulnerabilities patched this month by Abusive Monopolist Microsoft were disclosed publicly before fixes were released.
-