Apple does not often use language like “extremely sophisticated attack.” When it does, it usually means something has already gone wrong.
Late last month, Apple patched two serious WebKit vulnerabilities that were already being exploited to compromise iPhones. The fixes arrived just before the holidays, bundled into iOS 26.2. On paper, that should have closed the door. In reality, a large part of Apple’s user base never walked through it.
Weeks later, adoption data tells an uncomfortable story. Around half of eligible iPhone users are still running iOS 18, according to estimates cited by Forbes. Other trackers paint an even bleaker picture. StatCounter suggests fewer than one in five users have moved to iOS 26. Even the most optimistic readings leave hundreds of millions of devices exposed.
This matters because, unlike past cycles, there is no safety net this time.
The vulnerabilities sit inside WebKit, the browser engine behind Safari and every other iOS browser. Apple warned that attackers could use malicious websites to trigger code execution, opening the door to device takeover, credential theft, or payment data exposure. These attacks were described as targeted, but history shows that once details become public, targeted exploits tend to spread.
Under normal circumstances, users who delay major upgrades can rely on a parallel security update for the previous version. That expectation shaped behaviour. Many people stayed on iOS 18 assuming a patch would arrive. It didn’t. iOS 18.7.3 is only available for devices that cannot run iOS 26 at all.
The result leaves a stark divide. Users on iOS 26 receive protection. Everyone else waits with no meaningful mitigation. As Keeper Security’s Darren Guccione put it, once patches are public, the exposure window widens for anyone who delays updating.
The scale makes this harder to ignore. Apple’s installed base sits at roughly 1.6 billion devices worldwide. Even conservative estimates suggest around 800 million iPhones and iPads remain unpatched. That number climbs sharply under less generous assumptions.
The contrast with previous years stands out. At the same point in the iOS 18 and iOS 17 cycles, more than half of users had already upgraded. This time, momentum stalled. Comfort, habit, and upgrade fatigue appear to have outweighed security warnings.
How To Stay Protected
For users, the impact stays simple. There is no workaround, no safer browsing mode, no setting that meaningfully reduces risk. The only practical defence involves upgrading to iOS 26.2 or iPadOS 26.2. Devices with automatic updates enabled should already be protected. Everyone else needs to act manually through the software update menu.
Looking ahead, this episode hints at a larger tension. As iOS grows more complex and upgrades feel less urgent, Apple’s security model increasingly depends on user compliance. When that breaks down, even fast patches struggle to protect the ecosystem.
This time, Apple moved quickly. The users did not.
Ogbonda Chivumnovu
