Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks. 

The company described the activity as an “extremely sophisticated attack” aimed at specific individuals. Although Apple did not identify the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime.

Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack.

Below, we break down what these vulnerabilities mean and explain how you can better protect yourself.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

NEW IPHONE SCAM TRICKS OWNERS INTO GIVING PHONES AWAY

What Apple says about the zero-day vulnerabilities

The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple’s security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to “specific targeted individuals.”

CVE-2025-43529 is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. To put it simply, it allows attackers to run their own code on a device by tricking the browser into mishandling memory. Apple credited Google’s Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity.

The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device. Apple says this issue was discovered jointly by Apple and Google’s Threat Analysis Group.

In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks. The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.

Devices affected and signs of coordinated disclosure

Apple has released patches across its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS and visionOS.

According to Apple’s advisory, affected devices include iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation onward, the eighth-generation iPad and newer and the iPad mini starting with the fifth generation. This covers the vast majority of iPhones and iPads still in active use today.

Apple has patched the flaws across its entire ecosystem. Fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2. Because Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue also affected Chrome on iOS.

6 steps you can take to protect yourself from such vulnerabilities

Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this.

REAL APPLE SUPPORT EMAILS USED IN NEW PHISHING SCAM

1) Install updates as soon as they drop

This sounds obvious, but it matters more than anything else. Zero-day attacks rely on people running outdated software. If Apple ships an emergency update, install it the same day if you can. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS and Safari. That way, you are protected even if you miss the news or are traveling.

2) Be careful with links, even from people you know

Most WebKit exploits start with malicious web content. Avoid tapping on random links sent over SMS, WhatsApp, Telegram or email unless you are expecting them. If something feels off, open the site later by typing the address yourself.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

3) Use a lockdown-style browsing setup

If you are a journalist, an activist or someone who deals with sensitive information, consider reducing your attack surface. Use Safari only, avoid unnecessary browser extensions, and limit how often you open links inside messaging apps.

4) Turn on Lockdown Mode if you feel at risk

Apple’s Lockdown Mode is designed specifically for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It is not for everyone, but it exists for situations like this.

5) Reduce your exposed personal data

Targeted attacks often start with profiling. The more personal data about you that is floating around online, the easier it is to pick you as a target. Removing data from broker sites and tightening social media privacy settings can lower your visibility.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services, and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

6) Pay attention to unusual device behavior

Unexpected crashes, overheating, sudden battery drain or Safari closing on its own can sometimes be warning signs. These do not automatically mean your device is compromised. However, if something feels consistently wrong, updating immediately and resetting the device is a smart move.

Kurt’s key takeaway

Apple has not shared details about who was targeted or how the attacks were delivered. However, the pattern fits closely with past spyware campaigns that focused on journalists, activists, political figures and others of interest to surveillance operators. With these patches, Apple has now fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone. That includes flaws disclosed earlier this year and a backported fix in September for older devices.

Have you installed the latest iOS or iPadOS update yet, or are you still putting it off? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com. All rights reserved.

If you’re taking it easy during the slow, in-between week between Christmas and New Year’s, now’s a good time to catch up on deals you might’ve missed. Many of our favorite discounts from the past week are still hanging around, making this an especially convenient moment to shop. Whether you’re eyeing a new phone, gearing up for travel, or just looking to treat yourself before the year wraps up, we’re seeing notable price drops on Google’s Pixel 10 lineup, AirTags, and a wide selection of Nintendo Switch games, along with a handful of other Verge-approved picks worth grabbing now. Here are the best deals worth checking out before the year comes to a close.

Google’s Pixel 10 phones are among the best Android phones you can buy, and this week they’ve dropped to some of their lowest prices yet. Amazon is selling the Pixel 10 for $499 ($300 off) with promo code PIXEL10, marking its second-best price to date. If you want better cameras, Amazon is also offering record-low prices on the Pixel 10 Pro and 6.8-inch Pixel 10 Pro XL, down to $649 ($350 off) and $799 ($400 off), respectively, with the same code.

All three phones support Qi2 wireless charging with built-in magnets and run on Google’s snappy Tensor G5 chip. In her review, The Verge’s Allison Johnson called the Pixel 10 a great, basic Android phone with meaningful upgrades, including a bright 6.3-inch OLED display with a 120Hz refresh rate and up to 3,000 nits of peak brightness. It also adds a dedicated telephoto lens — a first for a non-Pro Pixel — which makes a noticeable difference for portraits.

If you’re aiming for great (not just good) photos, though, the 6.3-inch Pixel 10 Pro or 6.8-inch Pro XL are better picks. Both offer improved main and 48-megapixel ultrawide cameras, and additional AI-powered features like Pro Res Zoom and an upgraded portrait mode. They also come with extra memory for smoother multitasking along with sharper displays.

Anker’s Laptop Power Bank is once again on sale at Amazon and Walmart for $87.99 ($47 off), which matches the record-low price we last saw a month ago. A favorite among Verge staffers, the 25,000mAh / 90Wh power bank features a retractable USB-C cable along with a second built-in USB-C cable that doubles as a handle for easier portability. You also get a handy LCD screen that shows remaining battery life, total power output, and temperature at a glance. It includes a USB-A port and an extra USB-C port as well, letting you charge a MacBook Pro and up to three other devices at the same time. Power output tops out at 165W when charging two devices, or up to 130W with more plugged in — and since it’s carry-on compliant, you can bring the power bank along on flights.

A few more deals we’re digging:

DoorDash wants to help you decide where to eat, not just how your food arrives. The company has launched Zesty, a new artificial intelligence-powered social app built to make finding local restaurants faster and easier. 

Zesty is now in public testing in the San Francisco Bay Area and New York. Instead of scrolling through endless reviews, menus and social videos, the app lets you ask an AI chatbot for recommendations in plain language.

Think of it as a digital concierge for food discovery.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

How Zesty works

Once you open Zesty and sign in with your DoorDash account, the experience feels familiar and simple. You see nearby restaurants and a chat box where you can type exactly what you want. DoorDash says users can ask prompts like:

HOW RESTAURANT RESERVATION PLATFORM OPENTABLE TRACKS CUSTOMER DINING HABITS

• A low-key dinner in Williamsburg that’s good for introverts
• Brunch spots good for groups
• Romantic dinner with a vintage feel

The AI then curates recommendations by pulling information from DoorDash data, Google Maps, TikTok, Reddit and other sources. According to DoorDash co-founder Andy Fang, the goal is to surface the best suggestions from across the web in one place. Each recommendation includes context such as ratings, social buzz and where the suggestion came from. DoorDash says the results do not imply sponsorships or paid placements.

A social network built around food

Zesty also adds a social layer. Users can post photos, leave comments, follow other diners and share saved spots with friends. If you find a restaurant that looks promising, you can bookmark it for later or send it to someone planning dinner with you. This makes Zesty feel less like a search engine and more like a food-focused social network. It is designed for people who enjoy discovering places through other people’s experiences, not just star ratings. For DoorDash, this is a clear shift toward community-driven discovery.

Why DoorDash built Zesty

DoorDash wants to remove friction from the decision process. Instead of bouncing between Google, TikTok, Yelp and delivery apps, Zesty aims to bring everything together in a single guided experience. That approach also aligns with a broader trend. More people already use AI tools like ChatGPT and Gemini to plan meals and trips. Zesty aims to offer that same convenience with a strong local and social focus.

“At DoorDash, we’re always looking for new ways to help people connect with the best of their communities,” a company spokesperson told CyberGuy. “We’re piloting an app called Zesty to make it easier to discover great nearby restaurants, coffee shops, bars, and more through personalized search and social sharing. Zesty is now in public beta in San Francisco and New York, and we’re excited to learn from early testers as we keep shaping what local discovery can look like.”

Of course, Zesty faces an uphill climb. Many users already rely on Google Maps or existing social apps to find restaurants. Some may not want to download another standalone app, even if it promises better recommendations. Still, Zesty could appeal to users who enjoy food discovery as a social activity. For them, a dedicated network built around local dining may feel more useful than generic search results. DoorDash appears willing to test that idea and see how users respond. For now, the company is focused on getting people to use the app, learning what works, and fine-tuning its matching engine. Once that experience feels right, Zesty will expand to more cities.

WOULD YOU EAT AT A RESTAURANT RUN BY AI?

Part of DoorDash’s bigger expansion plan

Zesty is not an isolated experiment. It fits into DoorDash’s broader push beyond food delivery. Earlier this year, DoorDash rolled out features for in-person dining reservations and in-store rewards. The company also continues to invest heavily in automation and AI-driven logistics. 

We reported a few months ago on another major innovation from DoorDash: Dot, its fast new autonomous delivery robot. Dot is designed for short local trips and runs on an AI-powered delivery platform that decides whether an order should be handled by a Dasher, a robot or another method. Together, Zesty and Dot show how DoorDash is trying to own more of the local commerce experience, from discovery to delivery.

What this means to you

If you enjoy trying new restaurants, Zesty could save you time and decision fatigue. Instead of reading dozens of reviews, you can ask for exactly what you want and get curated suggestions instantly. For casual diners, the app may feel unnecessary if Google already works fine. For food lovers who like sharing finds and following others with similar tastes, Zesty could become a useful daily tool. It also signals where local discovery may be heading. AI-driven recommendations paired with social proof could soon replace traditional review hunting.

Take my quiz: How safe is your online security?

Think your devices and data are truly protected? Take this quick quiz to see where your digital habits stand. From passwords to Wi-Fi settings, you’ll get a personalized breakdown of what you’re doing right and what needs improvement. Take my Quiz here: Cyberguy.com.

Kurt’s key takeaways

Zesty shows DoorDash experimenting with how people choose where to eat, not just how food gets delivered. By combining AI search with social sharing, the company is testing a more conversational and community-driven approach to local discovery. Whether Zesty becomes essential or stays niche will depend on how well it delivers meaningful recommendations. Still, it highlights DoorDash’s growing ambition to shape more parts of our everyday local life.

Would you trust an AI-powered social app to pick your next favorite restaurant, or do you still prefer finding places the old-fashioned way? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com. All rights reserved.