Apple and Google simultaneously deployed critical security fixes this week after discovering their systems were compromised through previously unknown vulnerabilities, with evidence pointing toward state-sponsored attackers targeting specific individuals.
Key Takeaways:
- Google patched a Chrome browser flaw (CVE-2025-14174) that hackers actively exploited before fixes became available
- Apple secured two vulnerabilities across its entire product ecosystem after detecting attacks against particular users
- Joint investigation by Apple’s security team and Google’s Threat Analysis Group suggests government-backed hackers orchestrated the campaign
Google broke from standard practice when announcing the Chrome updates on Wednesday. The company initially withheld details about the patches released for its version 143.0.7499.109/.110 browser update. This silence lasted until Friday, when Google revealed that Apple’s Security Engineering and Architecture team, working alongside Google’s Threat Analysis Group, had uncovered the flaw.
The Threat Analysis Group specializes in tracking government-sponsored hacking operations and commercial spyware vendors. Their involvement signals that nation-state actors likely orchestrated these attacks rather than common cybercriminals.
Apple moved simultaneously, pushing security updates across its entire hardware lineup: iPhones, iPads, Mac computers, Vision Pro headsets, Apple TV devices, Apple Watches, and the Safari browser. The company’s security bulletin for mobile devices addressed two separate vulnerabilities.
Apple acknowledged awareness “that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals” using devices running versions before iOS 26. This carefully worded statement follows Apple’s established protocol for confirming zero-day exploitation—attacks that leverage software flaws unknown to manufacturers at the time hackers deploy them.
Historical patterns suggest these incidents often involve commercial spyware tools developed by companies like NSO Group or Paragon Solutions. These firms sell sophisticated hacking capabilities to governments, which then deploy them against journalists, political dissidents, and human rights defenders.
The Chrome vulnerability, designated CVE-2025-14174 and rated “High” severity, involves out-of-bounds memory access in ANGLE, a graphics abstraction layer. Google confirmed “an exploit for CVE-2025-14174 exists in the wild,” meaning attackers were using it against real targets.
Beyond the zero-day flaw, Google’s update addressed two additional medium-severity bugs. Security researcher Weipeng Jiang discovered a “use after free” error in Chrome’s Password Manager, while Khalil Zhani identified an implementation issue in the browser’s toolbar. Google awarded $2,000 bounties to each researcher.
The timing remains unclear regarding how many users fell victim to these attacks or which specific groups were targeted. Both companies maintained their usual discretion about victim identities and attack specifics, balancing transparency with user privacy and ongoing security investigations.
Google noted that many security vulnerabilities never reach users because the company employs automated detection tools, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL during development cycles.
Users should immediately install the available updates across all affected devices. The patches will roll out globally over the coming days and weeks through automatic update mechanisms.
Written by Alius Noreika
