Apple, Google forced to issue emergency 0-day patches
Summary
Apple and Google issued emergency fixes after zero-day vulnerabilities were found to be actively exploited in the wild. Apple released security updates across iPhone, iPad and Mac to patch two WebKit bugs it said “may have been abused in an extremely sophisticated attack against specific targeted individuals.” Google pushed a Chrome Stable update that fixes multiple flaws, including at least one zero-day (CVE-2025-14174), an out-of-bounds memory access that was already being exploited.
Google credits Apple’s security engineering team and Google’s Threat Analysis Group for discovering the Chrome flaw, a hint that the exploitation was spyware-grade and likely targeted rather than opportunistic. The incidents add to a busy year: nine Apple vulnerabilities and eight Chrome zero-days patched in 2025 so far.
Key Points
- Apple patched two WebKit vulnerabilities used in “extremely sophisticated” targeted attacks affecting iPhones, iPads and Macs.
- Google fixed multiple Chrome bugs, including CVE-2025-14174 (out-of-bounds memory access) that was exploited before a public fix.
- Google credits Apple and its Threat Analysis Group in the discovery, suggesting spyware-grade, targeted abuse rather than random drive-by attacks.
- Both firms provided limited technical detail; disclosures emphasise active exploitation but spare specifics.
- The fixes bring Apple’s 2025 in-the-wild tally to nine zero-days and Chrome’s to eight, underscoring continued attacker focus on browsers and mobile platforms.
Context and relevance
Browsers and mobile platforms remain prime targets because successful zero-days can yield deep access to devices and data. Attribution to Google’s Threat Analysis Group and Apple’s security team suggests advanced actors — potentially mercenary spyware vendors or state-backed groups — were involved. For security teams and casual users alike, these incidents reinforce the need for rapid patching and monitoring: delayed updates increase the chance of compromise, especially for high-value or targeted individuals.
Author style
Punchy: this is serious and time-sensitive. The lack of technical detail from both vendors is deliberate but frustrating — it means defenders must act on vendor updates rather than waiting for full disclosure. If you manage fleets or handle sensitive data, treat these patches as high priority.
Why should I read this?
Quick heads-up — if you use an iPhone, iPad, Mac or Chrome, hit update now. These weren’t hypothetical bugs; attackers were already using them. We’ve done the slog so you don’t have to: patch, check your devices, and if you’re responsible for others, push the updates organisation-wide.