CERT-In alerts users to high-risk flaws in Apple Pages/Keynote and Google Chrome; apply patches now

India’s Computer Emergency Response Team (CERT-In) published advisories describing exploitable defects in two widely used software families: Apple’s Pages and Keynote and Google’s desktop Chrome. The Apple issues are parsing bugs that can be triggered by maliciously crafted documents, while the Chrome flaw is tied to the Background Fetch implementation and can be weaponised via a specially formed network request to achieve arbitrary code execution. Apple released fixes at the end of January 2026 (updates addressing versions prior to 15.1), and Google rolled a stable-channel Chrome update the same week to remediate builds older than 144.0.7559.109/110. Both vendor updates close actionable vulnerabilities that require only user interaction — opening a tainted document or visiting a crafted resource — to begin exploitation. CERT-In’s guidance emphasises rapid patching and baseline verification across managed devices. These advisories arrive amid a broader January patching wave in which multiple vendors rushed emergency updates for document-handling and legacy-component flaws; for example, Microsoft also pushed emergency fixes for an Office zero-day (CVE-2026-21509) that was observed being exploited in the wild and subsequently highlighted by U.S. authorities. That parallel response by other vendors and government agencies (which sometimes add actively exploited defects to accelerated remediation lists) underscores the heightened urgency for organisations to act quickly. Practical mitigations while patches are deployed include blocking or sandboxing untrusted attachments, tightening network request filtering (especially for Background Fetch-like APIs), enforcing stricter endpoint policies, and enhancing telemetry and behavior-based detection for staged exploitation patterns. The combined presence of client-side parsing bugs and a browser API issue increases risk for both individual users and enterprise fleets, particularly where patch cycles lag. Security teams should triage impacted hosts, verify versions, and accelerate deployment through coordinated change control to reduce the window of exposure.