Apple patches two zero-day flaws used in targeted attacks

iPhone users more likely to get scammed than Android users, study indicates Kurt the CyberGuy joins 'Fox & Friends' to share his tips to stay safe from online scammers and recent warnings on how AI toys can harm children. Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks. The company described the activity as an "extremely sophisticated attack" aimed at specific individuals. Although Apple did not identify the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime. Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack. Below, we break down what these vulnerabilities mean and explain how you can better protect yourself. Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter. Apple released emergency updates after confirming two zero-day WebKit flaws were actively exploited in targeted attacks. (REUTERS/Thomas Peter/File Photo) NEW IPHONE SCAM TRICKS OWNERS INTO GIVING PHONES AWAY What Apple says about the zero-day vulnerabilities The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple's security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to "specific targeted individuals." CVE-2025-43529 is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. To put it simply, it allows attackers to run their own code on a device by tricking the browser into mishandling memory. Apple credited Google's Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity. The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device. Apple says this issue was discovered jointly by Apple and Google's Threat Analysis Group. In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks. The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits. Devices affected and signs of coordinated disclosure Apple has released patches across its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS and visionOS. According to Apple's advisory, affected devices include iPhone 11 and newer models, multiple generations of iPad Pro,...

Preview: ~500 words