Apple recently patched a zero-day hole in WebKit that was used in real-world phone attacks.
Very quickly, here’s a reminder how the terminology works: it’s a ‘fingers-and-thumbs’ scenario.
Not all software bugs are vulnerabilities, though surprisingly many of them are; but all vulnerabilities are bugs. (Strictly speaking, you can have a vulnerability that is entirely down to misconfiguration, and not to a coding bug, but we’ll ignore that aspect for now.)
Not all vulnerabilities are exploitable, though quite a lot of them are; but all exploitable holes are vulnerabilities, as the names themselves suggest.
And not all exploits are zero-days, fortunately, because a zero-day is basically a bug that the Bad Guys found and abused first, and that was only spotted by the Good Guys once the Bad Guys started using it.
But all zero-days represent exploits that, rather obviously, pose a clear and present danger.
Zero-days are variously bought and sold for sneaking into networks, stealing customer data, implanting spyware, crashing critical servers, circulating fake news, making provocative political statements, embarrassing companies, boosting or hurting share prices, or for pulling off a variety of malevolent or unwanted outcomes.
Simply put, the name comes from the fact that there were zero days during which even the world’s most keen and proactive Sysadmin or SOCstar could have patched in advance, for the simple reason that the patches only came out after the attack that necessitated them.
If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. At the time of writing, we’re in the middle of The 0x0C Days of Sysmas, a humorous seasonal song that celebrates the Sysadmins and SOCstars who work all year round to keep us safe online.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.
The Common Vulnerabilities and Exposures identifier for this vulnerability is CVE-2025-14174.
Details about bug itself are still something of an insider secret, presumably suppressed for a while to make it harder for well-meaning researchers and evil-seeking criminals alike to come up with proof-of-concept (PoC) code to ‘help’ their respective communities.
This suggests that this exploit may have been hard to find from scratch (possible reading: some cybercrime group or inquisitive government paid $X,0000,000 for it and has therefore been very careful to use it unobtrusively so far), but that it might be comparatively easy to ‘rediscover’ if you were pointed in approximately the right direction.
As an analogy, think of the metaphor “like finding a needle in haystack.”
There are ways to do this, but they tend to be time-consuming and noticeable, either because they are disruptively labor-intensive (e.g. pull all bales apart by hand and inspect carefully), or obviously destructive (e.g. burn all the hay and pass the residue under an electromagnet, hoping the needle is made of steel).
But if someone tells you which bale the needle is in, what size it is, what it’s made of, and so on, then finding it becomes very much easier.
The security hole, it seems, is some sort of buffer overflow in ANGLE, a low-level graphics library shared by many browsers.
The list includes Apple’s, Google’s, and Microsoft’s browsers, and probably many others, notably those based on Google’s Chromium project.
That means, in turn, that the bug can be probably be triggered and exploited as part of browsing or rendering an apparently innocent file or web page.
At best, an exploitable hole of this sort can be abused by luring victims to open or view a document, web page, image, or video, perhaps with no need to click through anywhere else, and with no pop-up dialog offering at least a fighting chance to say, “No,. thanks.”
At worst, a background process that fetches and pre-prepares data for display – a messaging app that creates a thumbnail for use later on, for example, or a browser that downloads and caches content for a page it assumes you will visit next or soon – could be provoked into malicious activity without any action on your part.
The latter sort of attack has its own special nickname, namely zero-click, because it doesn’t need you, the user, to do anything at all to get attacked, not even to open your email or messaging app, or to look at an innocent-sounding image that really ought to be safe to view.
Unfortunately, this bug exists in code that is shared by many different content-rendering engines, including: all iPhone browsers (Apple requires all App Store apps to base themselves on WebKit, even if they have their own renderer on other platforms); Apple Safari; Google Chrome/Chromium; Microsoft Edge; and more.
It’s likely you have auto-updating turned on, either by choice, or by force of circumstance (some locally-installed software no longer bothers to ask if it should ‘fix’ itself, but does so automatically).
But even if you do, auto-updates don’t always work, often for reasons that the software creator can’t control, such as: running out of mobile data; not noticing that your favourite Wi-Fi password has changed; or running up against an unexpected blocklist false positive in the security software that’s supposed to protect you at the network edge.
Whichever browser you use, whatever operating system (OS) you are running, and whatever devices you have, check that you are up-to-date, and rectify that situation if you aren’t:
⋮ at top right) > Help > About Google Chrome.⋯ at top right) > Help and feedback > About Microsoft Edge.≡ at top right) > Help > About Firefox. (Firefox uses ANGLE but hasn’t been reported as vulnerable so far.)Note to Linux and xBSD users. Your distro may package and distribute browser updates for you, in which case you should check with your distro provider for the latest version, using the relevant update command of your distro’s package manager.
Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
—worki
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
C:\INETPUB?">
