Technology
Apple patches two zero-day flaws used in targeted attacks
NEWYou can now listen to Fox News articles!
Apple has released emergency security updates to fix two zero-day vulnerabilities that attackers actively exploited in highly targeted attacks.
The company described the activity as an “extremely sophisticated attack” aimed at specific individuals. Although Apple did not identify the attackers or victims, the limited scope strongly suggests spyware-style operations rather than widespread cybercrime.
Both flaws affect WebKit, the browser engine behind Safari and all browsers on iOS. As a result, the risk is significant. In some cases, simply visiting a malicious webpage may be enough to trigger an attack.
Below, we break down what these vulnerabilities mean and explain how you can better protect yourself.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Apple released emergency updates after confirming two zero-day WebKit flaws were actively exploited in targeted attacks. (Reuters/Thomas Peter/File Photo)
NEW IPHONE SCAM TRICKS OWNERS INTO GIVING PHONES AWAY
What Apple says about the zero-day vulnerabilities
The two vulnerabilities are tracked as CVE-2025-43529 and CVE-2025-14174, and Apple confirmed that both were exploited in the same real-world attacks. According to Apple’s security bulletin, the flaws were abused on versions of iOS released before iOS 26, and the attacks were limited to “specific targeted individuals.”
CVE-2025-43529 is a WebKit use-after-free vulnerability that can lead to arbitrary code execution when a device processes maliciously crafted web content. To put it simply, it allows attackers to run their own code on a device by tricking the browser into mishandling memory. Apple credited Google’s Threat Analysis Group with discovering this flaw, which is often a strong indicator of nation-state or commercial spyware activity.
The second flaw, CVE-2025-14174, is also a WebKit issue, this time involving memory corruption. While Apple describes the impact as memory corruption rather than direct code execution, these types of bugs are often chained together with other vulnerabilities to fully compromise a device. Apple says this issue was discovered jointly by Apple and Google’s Threat Analysis Group.
In both cases, Apple acknowledged that it was aware of reports confirming active exploitation in the wild. That language is important because Apple typically reserves it for situations where attacks have already occurred, not just theoretical risks. The company says it addressed the bugs through improved memory management and better validation checks, without sharing deeper technical details that could help attackers replicate the exploits.
Devices affected and signs of coordinated disclosure
Apple has released patches across its supported operating systems, including the latest versions of iOS, iPadOS, macOS, Safari, watchOS, tvOS and visionOS.
According to Apple’s advisory, affected devices include iPhone 11 and newer models, multiple generations of iPad Pro, iPad Air from the third generation onward, the eighth-generation iPad and newer and the iPad mini starting with the fifth generation. This covers the vast majority of iPhones and iPads still in active use today.
Apple has patched the flaws across its entire ecosystem. Fixes are available in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2. Because Apple requires all iOS browsers to use WebKit under the hood, the same underlying issue also affected Chrome on iOS.
6 steps you can take to protect yourself from such vulnerabilities
Here are six practical steps you can take to stay safe, especially in light of highly targeted zero-day attacks like this.
REAL APPLE SUPPORT EMAILS USED IN NEW PHISHING SCAM
Because WebKit powers Safari and all iOS browsers, even a malicious webpage may be enough to put unpatched devices at risk. (Jakub Porzycki/NurPhoto via Getty Images)
1) Install updates as soon as they drop
This sounds obvious, but it matters more than anything else. Zero-day attacks rely on people running outdated software. If Apple ships an emergency update, install it the same day if you can. Delaying updates is often the only window attackers need. If you tend to forget about updates, let your devices handle them for you. Enable automatic updates for iOS, iPadOS, macOS and Safari. That way, you are protected even if you miss the news or are traveling.
2) Be careful with links, even from people you know
Most WebKit exploits start with malicious web content. Avoid tapping on random links sent over SMS, WhatsApp, Telegram or email unless you are expecting them. If something feels off, open the site later by typing the address yourself.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.
3) Use a lockdown-style browsing setup
If you are a journalist, an activist or someone who deals with sensitive information, consider reducing your attack surface. Use Safari only, avoid unnecessary browser extensions, and limit how often you open links inside messaging apps.
4) Turn on Lockdown Mode if you feel at risk
Apple’s Lockdown Mode is designed specifically for targeted attacks. It restricts certain web technologies, blocks most message attachments, and limits attack vectors commonly used by spyware. It is not for everyone, but it exists for situations like this.
5) Reduce your exposed personal data
Targeted attacks often start with profiling. The more personal data about you that is floating around online, the easier it is to pick you as a target. Removing data from broker sites and tightening social media privacy settings can lower your visibility.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services, and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.
Apple urges users to install the latest updates, especially those who may face higher-risk, targeted threats. (Cheng Xin/Getty Images)
6) Pay attention to unusual device behavior
Unexpected crashes, overheating, sudden battery drain or Safari closing on its own can sometimes be warning signs. These do not automatically mean your device is compromised. However, if something feels consistently wrong, updating immediately and resetting the device is a smart move.
Kurt’s key takeaway
Apple has not shared details about who was targeted or how the attacks were delivered. However, the pattern fits closely with past spyware campaigns that focused on journalists, activists, political figures and others of interest to surveillance operators. With these patches, Apple has now fixed seven zero-day vulnerabilities that were exploited in the wild in 2025 alone. That includes flaws disclosed earlier this year and a backported fix in September for older devices.
Have you installed the latest iOS or iPadOS update yet, or are you still putting it off? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.
This weekend’s scheduled Blue Origin rocket launch is rather momentous. Success would signal an end to SpaceX’s monopoly on reusable orbital launch vehicles, and set up a three-way race to make that “No Service” indicator on your phone disappear forever.
On Sunday morning, Jeff Bezos’ massive New Glenn rocket is scheduled to launch with the first-stage booster that launched and landed on the program’s second mission last November. It’s a critical test, because cost-effective booster reuse is what’s made SpaceX’s Falcon 9 so dominate.
Amazon desperately needs a reusable rocket of its own to accelerate its Leo launches. Without one, it’s only been able to launch 241 Leo satellites, putting it well behind schedule. In that same 12-month time period, SpaceX’s Falcon 9 rocket was able to deploy over 1,500 satellites to its Starlink constellation.
Sunday’s mission will carry AST SpaceMobile’s BlueBird 7 satellite to low Earth orbit. Instead of blanketing the region with thousands of small satellites like Amazon and SpaceX, AST’s plan is to deploy fewer satellites that are much more powerful. Bluebird 7 features a massive 2,400-square-foot phased-array antenna, making it the largest commercial communications array ever deployed in low Earth orbit. It’s essentially a cell tower in space, and will be the second of the company’s “Block 2” next-generation satellites to launch.
The BlueBird 7 is designed to provide 4G and 5G broadband, at speeds exceeding 120 Mbps, to the phones we already carry. AST plans to have 45 to 60 satellites launched by the end of 2026. When AST lights up its service sometime this year, it will be in direct competition with Starlink’s direct-to-cell service, already operating with T-Mobile in the US, and Globalstar, the satellite network snapped up by Amazon that keeps iPhones and Apple Watches communicating in dead zones.
Cyber expert shares tips to avoid AI phishing scams
Kurt ‘The CyberGuy’ Knutsson shares practical ways to avoid falling victim to AI-generated phishing scams and discusses a report that North Korean agents are posing as I.T. workers to funnel money into the country’s nuclear program.
NEWYou can now listen to Fox News articles!
You probably think your messages are safe. After all, apps like WhatsApp, Signal and Telegram promote strong encryption.
But a new warning from the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation shows that attackers do not need to break encryption at all.
Instead, they are going after you.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
FBI WARNS ABOUT FOREIGN APPS AND YOUR DATA
A new federal advisory says phishing campaigns tied to Russian intelligence are going after messaging app users instead of trying to break encryption. (MStudioImages/Getty Images)
What the FBI and CISA just revealed
According to the joint advisory, cyber actors tied to Russian intelligence are running large-scale phishing campaigns targeting messaging apps.
These attacks are not random. They have focused on high-value targets like government officials, military personnel and journalists. However, the tactics can easily spread to everyday users.
Here is the key takeaway: Hackers are not cracking the apps themselves. They are tricking people into giving up access.
How these messaging app attacks actually work
This is where it gets interesting and a bit unsettling. Instead of breaking encryption, attackers use phishing to gain control of individual accounts. Once inside, they can:
- Read private conversations
- Access contact lists
- Send messages as if they were you
- Launch new scams targeting your contacts
It becomes a chain reaction. One compromised account can quickly lead to many more. In some cases, attackers impersonate trusted contacts. That makes the scam feel real and urgent.
Why encryption is not enough anymore
Encryption still matters. It protects messages as they travel between devices. But here is the problem. If someone logs into your account, they see everything just like you do.
That means even the most secure app cannot protect you if your login gets compromised. This is a shift in how cyberattacks work. The weakest link is no longer the technology. It is human behavior.
AI IS NOW POWERING CYBERATTACKS, MICROSOFT WARNS
The FBI and CISA are warning that attackers are targeting users of encrypted messaging apps by tricking them into handing over account access. (BackyardProduction/Getty Images)
Who is at risk from messaging app phishing attacks
While the advisory highlights high-profile targets, the tactics are not limited to them.
If you use messaging apps for:
- Personal conversations
- Work communication
- Sharing sensitive information
You are a potential target. Phishing works because it relies on simple mistakes. A quick tap on the wrong link is often all it takes.
What this means for you
This warning highlights a bigger trend. Cyberattacks are becoming more personal. Instead of attacking systems, hackers are targeting people directly. That makes awareness your strongest defense. The more you understand how these scams work, the harder it becomes for attackers to succeed.
Ways to stay safe from messaging app phishing attacks
You do not need to be a cybersecurity expert to protect yourself. You just need to slow things down and follow a few smart habits.
1) Be skeptical of unexpected messages
If a message feels urgent or out of place, pause. Even if it looks like it came from someone you know.
2) Never click suspicious links
Avoid links sent through messages unless you can verify them independently. Strong antivirus software can help detect suspicious behavior after a compromise. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.
3) Turn on two-factor authentication
Two-factor authentication (2FA) adds a second layer of protection even if your password gets exposed.
TECH GIANTS UNITE TO FIGHT ONLINE SCAMS
Officials say hackers can read messages, access contacts and impersonate users once they gain control of a messaging app account. (FreshSplash/Getty Images)
4) Watch for login alerts
Many apps notify you when a new device signs in. Do not ignore these warnings.
5) Verify requests in another way
If a contact asks for something unusual, call them or confirm through another channel.
6) Use a data removal service
Limit how much of your personal information is available online. Data removal services work to delete your data from broker sites, making it harder for scammers to target you with convincing phishing messages. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
7) Keep your device and apps updated
Install updates regularly. Security patches fix vulnerabilities that attackers can exploit after gaining access.
Kurt’s key takeaways
Messaging apps feel private. They feel secure. That sense of comfort is exactly what attackers are counting on. The technology is still strong. The real question is whether your habits are keeping up. So the next time a message pops up that feels slightly off, trust that instinct and take a second look.
Have you ever received a suspicious message that made you stop and question if it was real? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
YouTube is making some changes that might affect how you share videos from the mobile app. From the app, you can finally share videos from a specific timestamp, which will make it easier to point someone to a part of a video you might want them to see while you’re on your phone. However, this change will replace the Clips feature that lets you make a shareable clip from a video.
You’ll still be able to watch any Clips that you’ve already made. But moving forward, “the ability to set an end time or include a custom description when sharing will no longer be available,” YouTube says. The company notes that while clipping is “important way for creators to reach new audiences,” it says that “a number of third-party tools with advanced clipping features and authorized creator programs are now available to do this across different video platforms.”
The company originally introduced the Clips feature in 2021.
Californians are pouring money into Democrats’ Senate races in other states
1,200% jump in kratom-related calls to poison control centers in last decade, analysis shows
Lakers ‘elevate’ work for playoffs with Luka Doncic and Austin Reaves injured
Pressure mounts on Peru’s election authorities amid presidential race delay
Tornadoes touch down in Rochester area
Florida High School Football Rankings: Top 25 teams – Oct. 21
How old is Bo Nix? What to know about Oregon quarterback ahead of 2024 NFL Draft
Cleary's 21 help Le Moyne down Central Connecticut State 69-64 in OT
99th annual Pony Swim held in Virginia
Indiana Members Credit Union announced as new anchor tenant at Bottleworks District
Pressure mounts on Peru’s election authorities amid presidential race delay
Tornadoes touch down in Rochester area
Minnesota Republicans reveal which far-left candidate they want to challenge in open Senate race
Swedish rights groups slam ‘honest living’ criteria for migrants
Orbán’s defeat is a win for democracy and a warning to Trump, some say
-
Ohio3 days ago‘Little Rascals’ star Bug Hall arrested in Ohio
-
Arkansas1 week agoArkansas TV meteorologist Melinda Mayo retires after nearly four decades on air
-
Austin, TX1 week agoABC Kite Fest Returns to Austin for Annual Celebration – Austin Today
-
Politics3 days agoDem fundraising giant in the hot seat as GOP lawmakers demand answers over dodged subpoena
-
Science3 days ago‘Dr. Pimple Popper’ Sandra Lee had a stroke last fall. Here’s how the TV doc is bouncing back
-
Politics6 days agoTrump blasts Spanberger ahead of Virginia meetings, says state faces tax base exodus like New York, California
-
Health1 week agoWoman discovers missing nose ring traveled to her lungs, causing month-long cough
-
San Francisco, CA5 days agoPresident Trump terminates Presidio Trust