Apple issued emergency security updates for iPhone and iPad users this week, patching two actively exploited zero-day vulnerabilities in WebKit. The browser engine powers Safari and all iOS browsers, making the threat universal across Apple's mobile ecosystem.
The company described the attacks as "extremely sophisticated" and targeted at specific individuals, according to security bulletins published December 28-30. Both vulnerabilities were exploited in real-world attacks before patches became available.
Tracked as CVE-2025-43529 and CVE-2025-14174, the flaws allow attackers to execute arbitrary code through malicious websites. Visiting a compromised page could grant hackers full device control without user interaction.
Apple and Google's Threat Analysis Group jointly discovered the vulnerabilities. CVE-2025-43529 is a use-after-free bug in WebKit's memory management, while CVE-2025-14174 involves memory corruption through inadequate input validation.
Affected devices include iPhone 11 and newer models, iPad Pro 12.9-inch (third generation and later), iPad Pro 11-inch (first generation and later), iPad Air (third generation and later), iPad (eighth generation and later), and iPad mini (fifth generation and later).
Fixes are available in iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. Apple also released iOS 18.7.3 and iPadOS 18.7.3 for older devices.
Users with automatic updates enabled should already be protected. Others must manually update through Settings > General > Software Update. The patches address two zero-day vulnerabilities that were actively exploited.
Cybersecurity expert Kurt Knutsson emphasized immediate installation. "Zero-day attacks rely on catching users off guard with outdated software," he wrote for Fox News. "Installing updates immediately is crucial."
The WebKit engine's central role in iOS security creates broad exposure. Apple requires all iOS browsers to use WebKit, meaning Chrome and other third-party browsers share the same vulnerability.
Attackers could steal passwords, payment information, and other sensitive data through compromised websites. The targeted nature suggests possible spyware operations against journalists, activists, or political figures.
Knutsson recommended additional precautions beyond patching. Avoid clicking unexpected links in SMS, WhatsApp, Telegram, or email messages. Type website addresses manually when links appear suspicious.
Enable automatic updates across all Apple devices for future protection. Consider antivirus software for additional malware detection, especially for high-risk individuals.
Apple's Lockdown Mode offers enhanced protection for targeted users. The feature restricts certain web technologies and blocks most message attachments, limiting common attack vectors.
The company typically doesn't disclose attack details until investigations conclude. "For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred," Apple stated.
This marks Apple's continued response to sophisticated threats against its platform. The rapid patch deployment demonstrates improved vulnerability management, though WebKit's complexity remains a recurring security challenge.
Users should verify update status immediately and remain cautious with web links. Enterprise administrators face particular challenges managing fleet updates against time-sensitive threats.
