Concise Summary:
Apple has released a critical security patch for iOS and iPadOS devices to address a zero-day vulnerability affecting Webkit, the browser engine for Safari and other browsers on iPhones and iPads. This vulnerability allows malicious web content to bypass Apple’s security sandbox and potentially gain control of affected devices. The attack appears to have been exploited in “an extremely sophisticated attack against specific targeted individuals” using older versions of iOS before the release of iOS 17.2, though Apple acknowledges its possible exploitation in a broader context. The vulnerability has been patched with iOS and iPadOS update 18.3.2 and users are advised to install it immediately, particularly those potentially targeted by nation-state spies or law enforcement agencies. While no evidence suggests widespread exploitation, maintaining timely software updates is essential for security.
Key Points:
- Here are five key points extracted from the provided content:.
-
- Apple has released a critical security update for all iPhones and iPads affected by a zero-day vulnerability.
-
- The vulnerability allows malicious web content to bypass the Safari browser’s security sandbox, potentially enabling attacks on targeted individuals.
-
- This vulnerability was exploited in an “extremely sophisticated attack” against specific individuals using older iOS versions, according to Apple’s advisory.
-
- Apple is aware of reports suggesting this issue may have been exploited by attackers who are capable of sophisticated tactics and have resources for advanced operations.
-
- Users with older iOS or iPadOS versions should update their devices as soon as possible due to the vulnerability’s potential impact.
Archive Links:
12ft: https://12ft.io/https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/
archive.org: Apple patches 0-day exploited in “extremely sophisticated attack” - Ars Technica
archive.is: https://archive.is/https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/
archive.today: https://archive.today/https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/
Original Link: https://arstechnica.com/security/2025/03/apple-patches-0-day-exploited-in-extremely-sophisticated-attack/
User Message: Apple patches 0-day exploited in “extremely sophisticated attack”
0-day exploited by maliciously crafted Web content to break out of security sandbox.
Apple on Tuesday patched a critical zero-day vulnerability in virtually all iPhones and iPad models it supports and said it may have been exploited in “an extremely sophisticated attack against specific targeted individuals” using older versions of iOS.
TIME TO UPDATE TO 18.3.2
The vulnerability, tracked as CVE-2025-24201, resides in Webkit, the browser engine driving Safari and all other browsers developed for iPhones and iPads. Devices affected include the iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. The vulnerability stems from a bug that wrote to out-of-bounds memory locations.
For more on bypassing paywalls, see the post on bypassing methods