Apple has announced the addressing of critical security flaws in the iOS operating system, following the exploitation of these vulnerabilities in a cyberattack the company described as “highly sophisticated.” This attack targeted a specific group of users, making it one of the most serious challenges facing iPhone security in recent times. This has necessitated the release of two urgent security updates to address these two vulnerabilities that have already been exploited. On another level, the broader attacks aim to steal users’ passwords, allowing attackers unauthorized access to financial applications and theft of funds.
The WebKit browser engine in iOS – the engine that powers the default Safari browser on iPhone, as well as other browsers running on iOS – was affected by the aforementioned vulnerabilities. As a result, an iPhone user may be at risk simply by visiting a malicious website; this action may be enough to trigger the attack. These two vulnerabilities bear the codes CVE-2025-43529 and CVE-2025-14174, and have been exploited in a real attack.
The first vulnerability allows attackers to execute remote code on the target device, due to a flaw in memory management within WebKit. The second vulnerability was discovered in collaboration between Apple and Google’s Threat Analysis Group. These vulnerabilities have been addressed by improving memory management and enhancing verification processes. Both Apple and Google were careful to minimize the amount of information leaked to the media, to ensure that attackers do not obtain any advanced technical details that they can exploit.
Apple has fixed these vulnerabilities in all of its operating systems, including iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. It should be noted that Apple requires all iOS browsers to use WebKit, which means that the Chrome browser app on iPhone has also been affected by these vulnerabilities.
How do you avoid falling victim to WebKit vulnerabilities? Here are some tips you can follow to protect yourself from zero-day attacks:
– Install updates as soon as they are released. This step is necessary because zero-day attacks exploit users’ moments of neglect and weaknesses. These attacks rely heavily on users using outdated software.
– Enable automatic update. Enable automatic updates for all your Apple devices. This way, the update will be installed automatically even if you miss the news about its release.
– Be careful when clicking on links. Since WebKit vulnerabilities usually require visiting a malicious website, avoid clicking on any random links you receive via text message unless you expect this message.
– You can also protect yourself by installing anti-virus software that alerts you to ransomware scams and phishing emails.
– Use “Lockdown Mode from Apple” if you feel threatened by an attack exploiting unknown vulnerabilities. Go to “Settings > Privacy & Security > Lockdown Mode,” then click “Lockdown Mode.” (Al Youm Al Saabi)
