Apple users urged to update their device software following security warnings
Sign up now: Get ST's newsletters delivered to your inbox
Apple’s iOS 26.2, released on December 12, fixes over 20 flaws in Apple’s iOS software, two of which had already been used in real-life attacks.
PHOTO: REUTERS
Follow topic:
- CSA advises Apple users to immediately update to iOS 26.2 to patch two zero-day vulnerabilities exploited in real-life attacks.
- CVE-2025-43529 allows remote code execution, and CVE-2025-14174 causes memory corruption when loading malicious web content.
- iOS 26.2 patches over 20 flaws, including vulnerabilities affecting hidden photos, payment tokens, and password fields; update promptly to minimise risk.
AI generated
SINGAPORE – The Singapore Cyber Emergency Response Team (SingCert) has issued an alert urging Apple users to update the software of their iPhones and iPad to the latest iOS 26.2 after flaws in previous software versions were found to have been exploited in attacks.
SingCert, which operates under the Cyber Security Agency of Singapore (CSA),
ST understands that CSA has not received any reports on users affected by the vulnerabilities.
Apple’s iOS 26.2, released on Dec 12, fixes over 20 flaws in the firm’s iOS software, two of which had already been used in real-life attacks.
The two flaws are in WebKit, which is Apple’s own web browser engine and the core technology behind its Safari browser on iOS, iPadOS, and macOS.
According to Apple’s support website, the two exploited vulnerabilities are CVE-2025-43529 and CVE-2025-14174. The first allows a hacker to run malicious codes remotely when a user accesses malicious web content. The second could lead to memory corruption when a user loads malicious web content.
The vulnerabilities affected the following devices and products:
iPhone 11 and later
iPad Pro 12.9-inch (3rd generation and later)
iPad Pro 11-inch (1st generation and later)
iPad Air (3rd generation and later)
iPad (8th generation and later)
iPad mini (5th generation and later)
Co-founder of US-headquartered cyber security firm Keeper Security Darren Guccione said that WebKit, which is a fundamental element of every iPhone browser, continues to be a prime target for attackers.
“It sits at the intersection of web content and the operating system. That makes it a valuable attack surface for adversaries seeking to compromise iOS devices,” said Mr Guccione.
Apple rolled out iOS 26.2 after sending warnings to users in some 150 countries that they were being targeted by spyware.
Other than fixing the two zero-day vulnerabilities, the new update also includes patches for over 20 security flaws.
These include vulnerabilities that allow threat actors to view photos in the hidden photos album without authentication, steal sensitive payment tokens and access password fields when remote controlling a device over Facetime.
Mr Guccione urge users to quickly update their software.
“Once Apple issues a fix, details about the vulnerabilities quickly become public, giving attackers a road map to exploit any devices that have not yet been patched. The longer users wait, the greater the risk,” he said.
“Installing iOS 26.2 is not just a matter of convenience – it’s a critical security step. Regularly updating operating systems and apps is one of the simplest yet most effective ways to protect against compromise. Every patch closes known weaknesses that sophisticated actors actively seek to exploit,” said Mr Guccione.
He added that other measures such as using strong and unique passwords for every account, enabling multi-factor authentication and learning to recognise signs of phishing are fundamentals of good cyber hygiene.
