January Security Updates
Each month we round up the regular security releases from major product vendors, providing a basic overview for consumers and small businesses along with a more technical summary for IT professionals.
General Overview
This January update roundup covers security fixes released by Microsoft, Apple, Google for Android and Chrome, and Mozilla for the Firefox browser.
Together, these updates address a range of security weaknesses in computers, mobile phones, tablets, and web browsers that many small businesses and individuals use every day. Some fixes close more serious gaps that could allow attackers to access systems or data, while others improve overall safety and reliability.
For small business owners, the key takeaway is straightforward. Regularly applying updates is one of the simplest and most effective steps you can take to protect your business. Keep devices, software and browsers up to date, apply updates when prompted - even when you think you know best. While updates can sometimes be inconvenient, delaying them increases the risk of security issues later on. Where possible, major updates should be planned outside of busy working hours, and any systems that support critical business functions should be checked afterwards to confirm everything is running smoothly.
Windows Updates - 25H2 / 24H2
Microsoft fixes 112 security issues, including 8 rated Critical. These updates close gaps that could have allowed attackers to remotely compromise a computer or gain higher access without the user’s knowledge. Installing the updates helps protect home and small business devices from data loss, fraud, and disruption.
Apple macOS - 26.2 / 18.7.3
macOS security updates from Apple address vulnerabilities that could have allowed malicious software or websites to access personal data, bypass built-in protections, or gain greater control of a Mac without the user’s knowledge.
Google Chrome Web Browser - 144
Updates for the Chrome web browser from Google fix security flaws that could have allowed malicious websites to run harmful code, steal information, or interfere with normal browsing. Web browsers are a common target for attackers because they are used daily, often to access email, banking, and cloud services. Keeping Chrome up to date helps protect users from online scams, data theft, and compromised websites, particularly for small businesses and home users who rely heavily on the browser for everyday tasks.
Firefox Web Browser - 143
Updates for the Firefox web browser address security flaws that could have allowed malicious websites to access data, track users, or interfere with normal browsing.
Apple iPhone iOS - 26.2 / 18.7.3
Apple fix vulnerabilities that could have allowed malicious apps or websites to access personal information, interfere with normal phone operation, or bypass built-in security controls. While most users would not notice these issues, keeping iPhones up to date helps protect against data exposure, scams, and unauthorised access, particularly where devices are used for email, messaging, and work related activity.
Android Updates
Google address vulnerabilities that could have allowed malicious apps or websites to access data, track users, or gain greater control of a device without permission.
Technical Summary
Microsoft opens 2026 with a substantial Patch Tuesday release, delivering 112 security updates across Windows and its core components, Microsoft Office, Azure, Microsoft Edge (Chromium based), SharePoint Server, SQL Server, the SMB Server stack, and Windows Management Services.
Eight of the vulnerabilities addressed in this cycle are rated Critical, with the remaining fixes classified as Important. As usual, the Critical issues largely relate to remote code execution and privilege escalation scenarios that could be exploited without user interaction or with minimal preconditions, particularly within core Windows services and widely deployed enterprise platforms. For IT and security teams, this reinforces the need to prioritise rapid testing and deployment, especially where exposed services, legacy protocols, or shared infrastructure components are in use.
January releases are often heavier than average, and this month follows a familiar pattern. Many vendors, Microsoft included, deliberately defer non urgent fixes during the Christmas and New Year period to reduce the risk of unplanned outages or operational disruption when staffing levels are lower. The result is a compressed release cycle in early January, where multiple months of remediation activity converge into a single update window.
From an operational perspective, organisations should expect a broader than normal testing scope, with attention paid not just to endpoints but also to server roles, identity dependent services, and line of business applications that integrate with Windows, SQL Server, or SharePoint. Change management, rollback planning, and clear internal communications are particularly important during these larger patch cycles, as the likelihood of compatibility issues or performance regressions is inherently higher.
High Profile Vulnerabilities
CVE-2026-20952 - Microsoft Office Remote Code Execution Vulnerability | CVSS: 8.4 | Type: RCE |
Overview Susceptibility | Public: No | Exploited: No |
CVE-2026-20809 - Windows Kernel Memory Elevation of Privilege Vulnerability | CVSS: 7.8 | Type: EoP |
Overview Susceptibility | Public: No | Exploited: No |
CVE-2026-20963 - Microsoft SharePoint Remote Code Execution Vulnerability | CVSS: 8.8 | Type: RCE |
Overview Susceptibility | Public: No | Exploited: No |
DISCLAIMER
As always, enable auto-updates in product packages. This will address wider vulnerabilities than disclosed here.
Where applying updates automatically is not possible, exercise good vulnerability triage and apply all security patches within 14 days.