This warning comes after the discovery of two critical security vulnerabilities in the WebKit browser engine – the engine that powers Safari and all other browsers on iOS. Apple described these vulnerabilities as part of a "highly sophisticated cyberattack" targeting specific individuals.
This attack works through malicious websites that can trick the device into executing malicious code. This means that attackers could gain control of a user's iPhone or iPad, or run code without their knowledge or consent.
Fortunately, users who have already enabled automatic updates have received the security patch automatically and without any intervention. For other users who do not have this feature enabled, they must immediately go to the Settings app on their devices, search for System Update, and then manually download and install either iOS 26.2 or iPadOS 26.2.
The greatest risk is concentrated on a generation of devices starting with the iPhone 11 and later, along with the 12.9-inch iPad Pro (third generation and later), the 11-inch iPad Pro (first generation and later), the iPad Air series (third generation and later), the iPad (eighth generation and later), and the iPad Mini (fifth generation and later).
This risk stems from the classification of the two vulnerabilities as "zero-day vulnerabilities," a technical term referring to vulnerabilities that were completely unknown to developers before their discovery. This means they were vulnerable to exploitation by malicious actors before Apple released any patches. This discovery, made jointly by specialized teams from Apple and Google, underscores the potential threat posed by such vulnerabilities.
Apple did not limit itself to updating the systems of phones and tablets, but extended the series of patches to include a wide range of its systems, including updated versions of the operating systems for Macs, TVs, watches, Vision Pro smart glasses, as well as the Safari browser itself.
The first vulnerability, called "Use-after-free," relates to a memory management issue that was resolved by improving the system's handling of temporary data, and it was identified as CVE-2025-43529. The second, a "Memory corruption" vulnerability, was fixed by introducing more stringent checks, and it was identified as CVE-2025-14174
Apple confirmed that it does not disclose or discuss full details of security vulnerabilities until the investigation is complete and actual solutions are available to users, in order to protect their safety.
Beyond the immediate procedure of updating, security experts such as Kurt Knutson offer a range of practical tips for future prevention:
1. Immediate updates are the most important solution: because "zero-day" attacks depend on users having an outdated patch.
2. Enable automatic updates: To protect the device automatically even if the user does not notice the official announcement.
3. Beware of links: Many vulnerabilities begin with visiting malicious websites. Avoid clicking on unexpected links in text messages, messaging apps, or emails. If in doubt, it's best to manually type the address into your browser.
4. Use antivirus software: It protects against malicious links, ransomware, and phishing, and safeguards personal data
5. Reduce your digital footprint: Targeted attacks often begin with information gathering. Reducing the personal information available on social media and removing it from data collection sites decreases the likelihood of being targeted. Data removal services, which monitor and delete information from hundreds of sites, can be used. While expensive, these services offer strong proactive privacy protection.
By combining these elements – real-time updates, proactive browsing, technical protection tools, and limiting digital exposure – a user can build multi-layered immunity that makes it more difficult to hack their devices and steal their data in a world where cyber threats are accelerating
