Apple Patches Decade-Old IOS Zero-Day, Possibly Exploited By Commercial Spyware (securityweek.com)
(Sunday February 15, 2026 @03:34AM (EditorDavid)
from the fixing-a-hole dept.)
- Reference: 0180794038
- News link: https://apple.slashdot.org/story/26/02/15/018217/apple-patches-decade-old-ios-zero-day-possibly-exploited-by-commercial-spyware
- Source link: https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/
This week Apple patched iOS and macOS against what it [1]called "an extremely sophisticated attack against specific targeted individuals."
[2] Security Week reports that the bugs "could be exploited for information exposure, denial-of-service (DoS), arbitrary file write, privilege escalation, network traffic interception, sandbox escape, and code execution."
> Tracked [3]as CVE-2026-20700 , the zero-day flaw is described as a memory corruption issue that could be exploited for arbitrary code execution... The tech giant also noted that the flaw's exploitation is linked to attacks involving CVE-2025-14174 and CVE-2025-43529, two zero-days [4]patched in WebKit in December 2025...
>
> The three zero-day bugs were identified by Apple's security team and Google's Threat Analysis Group and their descriptions suggest that they might have been exploited by commercial spyware vendors... Additional information is available on Apple's [5]security updates page.
Brian Milbier, deputy CISO at Huntress, [6]tells the Register that the dyld/WebKit patch "closes a door that has been unlocked for over a decade."
Thanks to Slashdot reader [7]wiredmikey for sharing the article.
[1] https://support.apple.com/en-us/126346
[2] https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/
[3] https://support.apple.com/en-us/126346
[4] https://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/
[5] https://support.apple.com/en-us/126346
[6] https://www.theregister.com/2026/02/12/apple_ios_263/
[7] https://www.slashdot.org/~wiredmikey
[2] Security Week reports that the bugs "could be exploited for information exposure, denial-of-service (DoS), arbitrary file write, privilege escalation, network traffic interception, sandbox escape, and code execution."
> Tracked [3]as CVE-2026-20700 , the zero-day flaw is described as a memory corruption issue that could be exploited for arbitrary code execution... The tech giant also noted that the flaw's exploitation is linked to attacks involving CVE-2025-14174 and CVE-2025-43529, two zero-days [4]patched in WebKit in December 2025...
>
> The three zero-day bugs were identified by Apple's security team and Google's Threat Analysis Group and their descriptions suggest that they might have been exploited by commercial spyware vendors... Additional information is available on Apple's [5]security updates page.
Brian Milbier, deputy CISO at Huntress, [6]tells the Register that the dyld/WebKit patch "closes a door that has been unlocked for over a decade."
Thanks to Slashdot reader [7]wiredmikey for sharing the article.
[1] https://support.apple.com/en-us/126346
[2] https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/
[3] https://support.apple.com/en-us/126346
[4] https://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/
[5] https://support.apple.com/en-us/126346
[6] https://www.theregister.com/2026/02/12/apple_ios_263/
[7] https://www.slashdot.org/~wiredmikey
dynamic linker (Score:2)
by johnjones ( 14274 )
that's why they went all out for
https://security.apple.com/blog/memory-integrity-enforcement/
be nice if they actually helped others i.e. linux
google have done half of this before apple...
JJ
IOS vs iOS (Score:2)
by Unpopular Opinions ( 6836218 )
Case matters: IOS is the Cisco classic OS for its routers and switches, whereas iOS is the actual Apple OS name for iPhone devices.
So while the summary doesn't make this clear (Score:2)
CVE-2025-14174 was a Chrome vulnerability, and (if the "over a decade" comment is accurate) Chrome has likely also been vulnerable all this time.
Which makes sense, given Chrome and Safari's original shared code base.