Apple and Google have both issued emergency patches after zero-day bugs were caught being actively exploited in what the companies describe as “sophisticated” real-world attacks.
Over the past few days, the two tech giants have rushed updates out the door to close vulnerabilities that attackers were already abusing against an unspecified number of targets, once again forcing users to patch first and ask questions later.
Apple pushed fresh security updates across much of its ecosystem, including iPhones, iPads, and Macs, fixing a pair of bugs in WebKit that it says may have been abused in an “extremely sophisticated attack against specific targeted individuals.” As usual, Cupertino was light on technical detail, offering little more than a warning that the exploits were real and already in circulation.
Google, meanwhile, shipped a Chrome Stable channel update addressing multiple security flaws, including at least one zero-day that had already been exploited before a fix was available. The high-risk bug, tracked as CVE-2025-14174, was described as an out-of-bounds memory access vulnerability, with Google acknowledging it was aware of an exploit in the wild.
Google quietly fixed the Chrome bug last Wednesday, but said the vulnerability was still “under coordination.” The Chocolate Factory updated its patch notes after Apple disclosed its own findings, revealing the overlap between the two companies’ investigations.
Neither company has spilled many technical details, but Google credits the discovery of CVE-2025-14174 to Apple’s security engineering team and Google’s Threat Analysis Group – a unit better known for tracking mercenary spyware vendors and state-backed intrusion campaigns than for chasing everyday malware. That attribution strongly hints this was spyware-grade exploitation rather than opportunistic drive-by hacking.
The flurry of fixes adds to a growing zero-day tally for both firms. With these latest updates, Apple has now patched nine vulnerabilities exploited in the wild so far in 2025, while Google has been forced to tackle eight Chrome zero-days this year, a pace that suggests attackers continue to prize browsers and mobile platforms as some of the most lucrative real estate around. ®
