Apple and Google rush emergency patches as zero-days are actively exploited

TL;DR

Apple and Google released emergency updates after zero-day vulnerabilities were observed being exploited in the wild. Both firms provided limited technical detail but signaled the attacks were sophisticated and targeted, prompting urgent patches for browsers and Apple devices.

What happened

Over the past few days Apple and Google deployed emergency fixes after discovering zero-day flaws that were already being used by attackers. Apple issued security updates across iPhones, iPads and Macs to address two WebKit bugs it said may have been abused in an “extremely sophisticated attack against specific targeted individuals.” Google quietly pushed a Chrome Stable update that fixed several issues, including a high-risk out-of-bounds memory access bug tracked as CVE-2025-14174, and acknowledged awareness of an exploit in the wild. Google later amended its patch notes following Apple’s disclosure, showing overlap between the companies’ investigations. Both vendors gave few technical specifics; Google credited discovery of the Chrome flaw to Apple’s security engineering team and Google’s Threat Analysis Group, a unit known for tracking commercial spyware and state-linked intrusion campaigns. Neither firm disclosed the number or identities of targets.

Why it matters

• Zero-day exploits in browsers and browser engines can enable full device compromise if weaponized against users.
• The involvement of teams that track mercenary spyware and state-backed campaigns suggests these were targeted, high-end operations rather than opportunistic attacks.
• Emergency, limited-disclosure patches leave users exposed until updates are applied and researchers can independently analyze fixes.
• A continuing flow of zero-days in 2025 highlights persistent attacker interest in browsers and mobile platforms as valuable attack surfaces.

Key facts

• Apple released security updates for iPhone, iPad and Mac addressing two WebKit vulnerabilities.
• Apple described one set of WebKit bugs as possibly abused in an “extremely sophisticated attack against specific targeted individuals.”
• Google issued a Chrome Stable update that fixed multiple issues, including CVE-2025-14174, an out-of-bounds memory access vulnerability.
• Google stated it was aware of an exploit for CVE-2025-14174 being used in the wild.
• Google credited the discovery of the Chrome bug to Apple’s security engineering team and Google’s Threat Analysis Group.
• Google updated its patch notes after Apple’s disclosure, revealing overlap between the two companies’ investigations.
• Both companies provided scant technical detail about the vulnerabilities and the active exploitation.
• With these fixes, Apple has patched nine vulnerabilities exploited in the wild in 2025; Google has addressed eight Chrome zero-days this year.

What to watch next

• Vendor updates and technical advisories from Apple and Google for further disclosure and analysis.
• Whether forensic details will link the exploited bugs to a named spyware vendor or state actor — not confirmed in the source.
• Patch adoption rates and any follow-on exploitation or secondary vulnerabilities discovered after public analysis — not confirmed in the source.

Quick glossary

• Zero-day: A software vulnerability that is unknown to the vendor and has no available patch when attackers exploit it.
• WebKit: An open-source browser engine used by browsers to render web pages; components in WebKit can affect multiple platforms that use it.
• Out-of-bounds memory access: A programming error where code reads or writes outside allocated memory, which can lead to crashes or enable code execution.
• Patch: A software update intended to fix vulnerabilities, bugs or other defects in an application or operating system.
• Threat Analysis Group (TAG): A security team that tracks sophisticated threat actors, including commercial spyware vendors and state-linked intrusion campaigns.

Reader FAQ

Were the targets identified?
Not confirmed in the source.

Did Apple and Google confirm the same exploit was used against both platforms?
The companies revealed overlap between investigations and Google credited Apple and its Threat Analysis Group in the discovery, but full technical linkage was not detailed.

Has a patch been released for affected users?
Yes — Apple pushed updates for iPhones, iPads and Macs, and Google shipped a Chrome Stable channel update.

Do we know which spyware group or state actor was responsible?
Not confirmed in the source.

PATCHES 31 Apple, Google forced to issue emergency 0-day patches Both admit attackers were already exploiting the bugs, with scant detail and hints of spyware-grade abuse Carly Page Mon 15 Dec 2025 //…

Sources

• Apple, Google forced to issue emergency 0-day patches
• Apple Patches Two Zero-Days Tied to Mysterious Exploited …
• Google and Apple roll out emergency security updates …

Related posts

• Ofcom opens probes after BT and Three outages blocked 999 access
• UK government doubles end-user tech framework to £24bn in six months
• Developers say Apple still flouting EU Digital Markets Act six months on