CVE-2026-58595: Update Bing for iOS to 33.4.440529002

Microsoft has fixed CVE-2026-58595, a high-severity spoofing vulnerability in Microsoft Bing Search for iOS, with version 33.4.440529002. Any release older than that build is listed as affected, making an App Store update the immediate action for users and organizations that deploy the Bing app on iPhones or iPads.
Published by the Microsoft Security Response Center on July 14, 2026, the flaw carries a CVSS 3.1 base score of 8.1. Microsoft describes it as an improper restriction of rendered user-interface layers or frames that could allow an unauthenticated attacker to perform spoofing over a network.
The advisory is unusually sparse beyond those core facts. Microsoft has not publicly provided a proof of concept, detailed exploitation sequence, or example of the interface an attacker could imitate, so administrators should avoid assuming that the vulnerability exposes credentials or enables code execution. What is clear is that exploitation requires user interaction, while the attacker needs neither an account nor existing privileges in the app.

Bing for iOS security alert warns of spoofing, tapjacking, and UI redressing; update to version 33.4.440529002.Bing 33.4.440529002 Draws the Security Line​

Microsoft’s affected-version declaration covers Microsoft Bing Search for iOS from version 1.0 up to, but not including, 33.4.440529002. That makes the remediation threshold straightforward: devices running build 33.4.440529002 or later are outside the vulnerable range currently documented by Microsoft.
Users can check the installed version through the iOS Settings app under General, iPhone Storage, and Bing, or from the application’s listing and update history in the App Store. Because Apple can stage automatic updates rather than installing them immediately on every device, enabling automatic updates does not prove that the fixed build has already arrived.
For a personal device, the practical response is to open the App Store, locate the Bing application, and install any available update. If the installed build remains below 33.4.440529002 and no update is offered, temporarily avoiding the app is the safer option until the corrected release becomes available in that App Store region.
Enterprise administrators should verify the deployed version through their mobile-device-management platform rather than relying on users to report whether automatic updates are enabled. Microsoft Intune and other MDM products can inventory managed applications, identify devices with older builds, and enforce or prompt an application update according to organizational policy.
The flaw affects the iOS application, not the Windows edition of Microsoft Edge, the Bing website viewed in a desktop browser, or Windows itself. It nevertheless matters to Windows-focused organizations because the Bing app may be installed on managed iPhones used alongside Microsoft 365, Entra ID, Intune, Defender, and other components of a Microsoft-centered workplace.

A UI Layer Can Become Part of the Attack​

CVE-2026-58595 is mapped to CWE-1021, Improper Restriction of Rendered UI Layers or Frames. MITRE uses that classification for software that fails to keep interface content from one application or origin properly separated from content controlled by another.
The broader attack family includes clickjacking, interface redressing, and the mobile-oriented technique commonly called tapjacking. An attacker presents a deceptive interface, overlay, frame, or visual layer so that the victim misunderstands what is being displayed or what a tap will do.
That classification offers useful context, but it does not disclose the exact Bing implementation error. Microsoft has not said whether CVE-2026-58595 involves an in-app browser, search-result rendering, navigation indicators, a prompt, an overlay, or another portion of the Bing interface. Treating any one of those possibilities as the confirmed attack path would go beyond the published evidence.
The CVSS vector does establish several boundaries. CVE-2026-58595 is network-reachable, has low attack complexity, requires no privileges, and needs user interaction. Its scope is unchanged, and Microsoft assigns no confidentiality impact but high integrity and availability impacts.
In practical terms, the published score suggests that an attacker could prepare remotely delivered content without first compromising the device or authenticating to the victim’s account. The attack would still require the user to open, view, tap, or otherwise interact with something. The spoofing element could then misrepresent the trustworthy interface or conceal the true target of an action.
The absence of a confidentiality impact is significant. Microsoft’s vector does not characterize this as a direct data-reading vulnerability. It also does not indicate arbitrary code execution, a sandbox escape, or complete iPhone takeover.
The high integrity and availability ratings are less intuitive for a brief advisory labeled simply as spoofing. They indicate that Microsoft’s scoring model anticipates potentially serious unauthorized changes or disruption, but the company has not published enough technical detail to show precisely how those consequences arise. Security teams should preserve that distinction between the vendor’s severity assessment and the attack mechanics that are actually public.

A High Score Does Not Mean Zero-Click Compromise​

An 8.1 rating will put CVE-2026-58595 into high-priority vulnerability queues, but the number should not be read in isolation. User interaction is required, and the advisory does not describe a zero-click route in which merely having Bing installed compromises the device.
It is also not a Windows Patch Tuesday vulnerability that can be remediated through Windows Update, WSUS, or a monthly cumulative update. The vulnerable component is the separately distributed Bing application for Apple’s mobile platform, so remediation comes through the App Store or an organization’s managed-app workflow.
That difference can create a visibility gap. A Windows operations team may complete its July patching cycle while managed iPhones continue running an older Bing build because mobile application inventory is owned by another team—or is not reviewed at all.
Organizations that allow Bing for iOS should add the version threshold to their application-compliance checks. A focused response can remain simple:
  • Confirm whether Microsoft Bing Search for iOS is installed on corporate or personally owned devices with access to business resources.
  • Require build 33.4.440529002 or later where the application is managed.
  • Warn users to be cautious of unexpected prompts, overlays, redirects, or requests to confirm sensitive actions inside the app.
  • Remove or temporarily block the application when an affected build cannot be upgraded.
Those precautions do not require administrators to speculate about an undisclosed exploit. They address the documented conditions: remote delivery, deceptive interface rendering, and a required user action.

Sparse Disclosure Leaves Exploitability Unsettled​

The initial CVE record confirms the vulnerability’s existence, affected product, remediation boundary, weakness class, and CVSS vector. It does not yet provide the root-cause analysis that defenders would need to build network detections, reproduce the flaw, or determine whether particular Bing features expose greater risk.
No public technical evidence accompanying the initial advisory establishes that CVE-2026-58595 is being exploited in the wild. Likewise, the lack of disclosed exploitation should not be interpreted as proof that attacks are impossible. The low-complexity, network-based vector means the fixed application should be deployed promptly rather than waiting for a public proof of concept.
For most users, this is an application-update problem rather than an incident-response emergency. For enterprises, it is a reminder that Microsoft security advisories increasingly cover software outside the traditional Windows servicing stack, including apps delivered through Apple and Google storefronts.
The immediate milestone is concrete: Bing Search for iOS must be at version 33.4.440529002 or newer. Until Microsoft publishes deeper technical details, that build number—not speculation about the hidden interface flaw—is the most reliable line administrators can enforce.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top