Urgent Apple Update Fixes Critical Security Exploits
▼ Summary
– Apple has released security updates to fix two actively exploited WebKit zero-day vulnerabilities (CVE-2025-14174 and CVE-2025-43529).
– CVE-2025-14174 is a memory corruption flaw in WebKit, which also required fixes in Google Chrome and Microsoft Edge as they use the engine on Apple platforms.
– These vulnerabilities were reportedly used in sophisticated, targeted attacks against specific individuals via malicious web pages.
– Apple advises all users to update their devices promptly, with fixes available in the latest macOS versions and Safari v26.2.
– Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog, highlighting their active threat status.
Apple has released critical security patches addressing two actively exploited vulnerabilities in its WebKit browser engine. These flaws, identified as CVE-2025-14174 and CVE-2025-43529, were being used in sophisticated zero-day attacks. All users should install these updates immediately to protect their devices from potential compromise. The updates are available across Apple’s ecosystem, including iPhones, iPads, and Mac computers.
The issue first came to light when Google addressed a vulnerability in its desktop Chrome browser for Mac. That flaw was later assigned the identifier CVE-2025-14174. Technical analysis reveals it was an out-of-bounds memory access weakness within the ANGLE component of Chrome. A maliciously crafted webpage could trigger this flaw, allowing an attacker to perform unauthorized memory access. Microsoft subsequently fixed the same issue in its Chromium-based Edge browser on December 11.
These vulnerabilities were reported through a collaboration between Apple’s own Security Engineering and Architecture (SEAR) team and Google’s Threat Analysis Group (TAG). According to Apple’s security notes, CVE-2025-14174 is a memory corruption issue in WebKit. Since WebKit underpins Safari and all web browsers on iOS and iPadOS, the flaw necessitated fixes from other browser vendors as well.
Apple confirmed the vulnerabilities were exploited in highly targeted attacks. The company stated it is “aware of a report that [CVE-2025-14174] may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The companion flaw, CVE-2025-43529, was also addressed in response to the same report. While CVE-2025-14174 could lead to memory corruption, CVE-2025-43529 might allow for arbitrary code execution. Security researchers believe these two flaws were likely chained together in attacks, activated when a victim visited a booby-trapped website.
Although Apple typically withholds specific details about such attacks to prevent further exploitation, the language strongly suggests the incidents involved spyware campaigns aimed at particular individuals. The urgent nature of the updates underscores the serious risk, making prompt installation essential for every user, not just those who might consider themselves targets.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the patches. CVE-2025-14174 was cataloged on December 12, and CVE-2025-43529 was added on December 15.
The security fixes have been rolled out in the latest operating system versions. Users should update to iOS 26.2, iPadOS 26.2, macOS Sequoia 15.3, macOS Sonoma 14.8, and Safari 26.2. Applying these updates is the most effective way to close the security gap and protect your device from these active threats.
(Source: HelpNet Security)
