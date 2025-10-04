news
Security Leftovers and Windows TCO
LWN ☛ Security updates for Friday
Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime).
Qt ☛ Security advisory: Uncontrolled Recursion and Use-After-Free vulnerabilities in Qt SVG module impact Qt
Two vulnerabilities in Qt SVG module have been discovered. Uncontrolled recursion vulnerability has been assigned the CVE id CVE-2025-10728. Whereas Use-After-Free vulnerability has been assigned the CVE id CVE-2025-10729.
Security Week ☛ Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks
The software giant’s investigation showed that vulnerabilities patched in July 2025 may be involved.
Security Week ☛ Organizations Warned of Exploited Meteobridge Vulnerability
Patched in mid-May, the security defect allows remote unauthenticated attackers to execute arbitrary commands with root privileges.
Security Week ☛ Unauthenticated RCE Flaw Patched in DrayTek Routers
The security defect can be exploited remotely via crafted HTTP/S requests to a vulnerable device’s web user interface.
Security Week ☛ Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities
High-severity flaws were patched in Chrome’s WebGPU and Video components, and in Firefox’s Graphics and JavaScript Engine components.
Security Week ☛ In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach
Other noteworthy stories that might have slipped under the radar: cybercriminals offer money to BillBC journalist, Microsoft's Surveillance Arm LinkedIn user data will train AI, Tile tracker vulnerabilities.
Windows TCO / Windows Bot Nets
Hackaday ☛ This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model
This week a reader sent me a story about a CVE in Notepad++, and something isn’t quite right. The story is a DLL hijack, a technique where a legitimate program’s Dynamic Link Library (DLL) is replaced with a malicious DLL. This can be used for very stealthy persistence as well as escalation of privilege. This one was assigned CVE-2025-56383, and given a CVSS score of 8.4.
Scoop News Group ☛ Federal judiciary touts cybersecurity work in wake of latest major breach
The Administrative Office of the United States Courts denied ignoring expert advice in a letter to Sen. Ron Wyden, D-Ore., who blasted Chief Justice Roberts in a response statement.
