Article Title:
Apple Releases Critical Security Updates to Address Actively Exploited WebKit Vulnerabilities
Article Text:
On December 13, 2025, Apple released a series of security updates across its product lineup—including iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and the Safari web browser—to address two critical vulnerabilities in the WebKit engine. These flaws have been actively exploited in the wild, posing significant risks to users.
Details of the Vulnerabilities:
1. CVE-2025-43529: This is a use-after-free vulnerability within WebKit. When processing maliciously crafted web content, this flaw could lead to arbitrary code execution, allowing attackers to potentially take control of affected devices.
2. CVE-2025-14174: This vulnerability involves memory corruption in WebKit. Similar to the first, it can result in arbitrary code execution when users encounter malicious web content. Notably, this same flaw was patched by Google in its Chrome browser on December 10, 2025, indicating its widespread impact across different platforms.
Discovery and Reporting:
The vulnerabilities were identified and reported by Apple’s Security Engineering and Architecture (SEAR) team in collaboration with Google’s Threat Analysis Group (TAG). This partnership underscores the critical nature of these flaws and the importance of cross-company collaboration in addressing security threats.
Implications and Exploitation:
Apple has acknowledged that these vulnerabilities may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. This statement suggests that the flaws were likely used in highly targeted attacks, possibly involving advanced spyware. Given that WebKit is the rendering engine for all third-party web browsers on iOS and iPadOS—including Chrome, Microsoft Edge, and Mozilla Firefox—the vulnerabilities’ reach is extensive.
Affected Devices and Systems:
The security updates are available for a wide range of devices and operating systems, including:
– iOS 26.2 and iPadOS 26.2: Compatible with iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
– iOS 18.7.3 and iPadOS 18.7.3: Compatible with iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
– macOS Tahoe 26.2: For Macs running macOS Tahoe.
– tvOS 26.2: For Apple TV HD and Apple TV 4K (all models).
– watchOS 26.2: For Apple Watch Series 6 and later.
– visionOS 26.2: For Apple Vision Pro (all models).
– Safari 26.2: For Macs running macOS Sonoma and macOS Sequoia.
Context and Historical Perspective:
With these updates, Apple has addressed a total of nine zero-day vulnerabilities exploited in the wild in 2025. Previous vulnerabilities include:
– CVE-2025-24085: A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges.
– CVE-2025-24200: An authorization issue in the Accessibility component that could enable an attacker to disable USB Restricted Mode on a locked device as part of a cyber-physical attack.
– CVE-2025-24201: An out-of-bounds write issue in the WebKit component that could be exploited to break out of the Web Content sandbox using maliciously crafted web content.
– CVE-2025-31200 and CVE-2025-31201: Flaws in the Core Audio and RPAC components, respectively, that could allow code execution when processing maliciously crafted media files or bypass Pointer Authentication.
– CVE-2025-43200: A logic issue in the Messages app that could allow an attacker to process a maliciously crafted photo or video shared via an iCloud Link, leading to arbitrary code execution.
– CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image.
Recommendations for Users:
Given the active exploitation of these vulnerabilities, it is imperative for users to update their devices promptly. To ensure protection:
1. Check for Updates: Navigate to the settings menu on your device, select General, and then Software Update to check for and install the latest updates.
2. Stay Informed: Regularly monitor official communications from Apple regarding security updates and advisories.
3. Exercise Caution: Be vigilant when encountering unsolicited messages or content, especially from unknown sources, as they may contain malicious links or attachments designed to exploit vulnerabilities.
Conclusion:
Apple’s swift response to these critical vulnerabilities highlights the ongoing challenges in cybersecurity, especially concerning zero-day exploits. The collaboration between Apple and Google’s Threat Analysis Group underscores the importance of industry partnerships in identifying and mitigating security threats. Users are strongly encouraged to update their devices immediately to protect against potential exploits and to maintain the security and integrity of their personal information.
