Apple and Google Rush Emergency Security Updates as Spyware Exploits Active WebKit Flaw

news
Apple and Google Rush Emergency Security Updates as Spyware Exploits Active WebKit Flaw

Apple and Google have released emergency security updates after confirming that spyware operators actively exploited a WebKit vulnerability in the wild. The issue affects how Apple devices process web content and it can lead to code execution or memory corruption when a user loads maliciously crafted pages.

What triggered the emergency updates

Apple published security fixes for iOS 26.2 and iPadOS 26.2 on December 12, 2025, after receiving reports that attackers used the flaws in “extremely sophisticated” attacks against specific targeted individuals on versions of iOS before iOS 26.

Google also pushed an urgent Chrome update after identifying active exploitation, with Google’s Threat Analysis Group involved in the discovery and analysis. The timing and coordination indicate that attackers targeted browser and web rendering paths across ecosystems.

What the WebKit vulnerability allowed attackers to do

The core risk sits inside WebKit, the engine that powers Safari and in-app web content on Apple platforms. Because iOS and iPadOS browsers must use WebKit, a single bug can expose users even if they do not use Safari as their primary browser.

Apple’s security notes say that processing maliciously crafted web content could lead to arbitrary code execution or memory corruption. These outcomes often serve as an entry point for spyware, which can enable deeper compromise after initial execution.

Which vulnerabilities Apple fixed

Apple addressed two WebKit issues that it says attackers may have exploited:

  • CVE-2025-14174: Apple says maliciously crafted web content may lead to arbitrary code execution. Apple attributes the report to Apple and Google’s Threat Analysis Group.
  • CVE-2025-43529: Apple says maliciously crafted web content may lead to memory corruption. Apple credits Google’s Threat Analysis Group.

Apple describes the underlying fixes as improved memory management and improved validation, which aligns with how vendors typically mitigate memory safety bugs in browser engines.

Who was targeted

Apple says the exploitation targeted specific individuals and involved extremely sophisticated techniques. The company has not disclosed the number of victims, the attacker identity, or the geographic scope.

Security researchers commonly associate this level of targeting and technical complexity with commercial spyware vendors or state-linked operators, rather than broad opportunistic malware.

Devices and software affected

Apple shipped patches across its ecosystem, including iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, and Safari updates, along with fixes for watchOS, tvOS, and visionOS. Apple’s iOS 26 platform support begins with iPhone 11 and newer models.

Google issued a related emergency fix for Chrome after confirming active exploitation on the browser side. Users on Chromium-based browsers typically need vendor-specific updates, so timing can vary by browser.

Why this matters right now

This incident fits a familiar pattern: attackers use zero-day flaws in browser engines because the web stack sits in front of everything. Once a flaw becomes known to defenders, rapid patching becomes critical, especially for users on older OS versions.

Even if the confirmed campaigns remain targeted, unpatched devices stay exposed as exploit techniques spread. Updating quickly reduces the chance that a web-based infection chain succeeds.

What users should do

Install the latest Apple software updates on iPhone, iPad, and Mac devices, and update Chrome to the newest stable version. If you manage devices for an organization, prioritize patch deployment for users who face higher targeting risk.

What’s next

Apple and Google are expected to continue monitoring for follow-up exploitation attempts as security researchers analyze the patched WebKit and Chrome components. If attackers adapt their techniques, additional updates or rapid-response patches could follow.

Apple may also backport the fixes to older supported operating system versions, especially for users who cannot upgrade immediately. Google typically pushes related Chromium fixes downstream to other browser vendors, which could trigger updates across the wider browser ecosystem.

For users, the next critical step is simple. Keep automatic updates enabled and apply new patches as soon as they appear. As details about this WebKit flaw circulate among attackers, fully patched systems will remain far less attractive targets.

Discover: News

Discussion (0)

Be the first to comment.