Apple patched two critical zero-day vulnerabilities on December 12 that were actively exploited in what the company calls "extremely sophisticated attacks" targeting specific individuals. The flaws, CVE-2025-43529 and CVE-2025-14174, affect WebKit and allow attackers to execute malicious code through crafted web content.
Discovered by Apple's security team and Google's Threat Analysis Group, these memory corruption bugs were fixed across iOS, iPadOS, and macOS devices. One vulnerability also impacts Google Chrome's graphics engine, suggesting cross-platform exploitation potential.
Apple has used similar language before when describing commercial spyware attacks, though neither Apple nor Google provided technical details about the exploitation. Security experts say vendors deliberately limit disclosure to prevent attackers from reverse-engineering patches into new exploits.
Source: Dark Reading