Article Details
Scrape Timestamp (UTC): 2025-03-11 18:51:38.952
Original Article Text
Click to Toggle View
Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks. Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks. The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows. "This is a supplementary fix for an attack that was blocked in iOS 17.2," the iPhone maker said in security advisories issued on Tuesday. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2." Apple said attackers can exploit the CVE-2025-24201 vulnerability using maliciously crafted web content to break out of the Web Content sandbox. The company has fixed this out-of-bounds write issue with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and visionOS 2.3.2. The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including: Apple has yet to attribute the discovery of this security vulnerability to one of its researchers and has yet to publish details regarding the "extremely sophisticated" attacks it linked it to. Even though the zero-day bug was likely only exploited in targeted attacks, installing today's security updates as soon as possible is highly recommended to block potentially ongoing attack attempts. With this vulnerability, Apple has fixed three zero-days since the start of the year, the first in January (CVE-2025-24085) and the second in February (CVE-2025-24200). Last year, the company patched six more zero-days exploited in the wild: the first in January, two in March, a fourth in May, and two more in November. However, one year before, Apple patched 20 zero-day vulnerabilities exploited attacks, including: Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Apple has issued an emergency update to address a zero-day vulnerability in its WebKit browser engine, affecting various devices and platforms.
The security flaw, identified as CVE-2025-24201, was exploited in highly sophisticated attacks targeting specific individuals before iOS 17.2.
The vulnerability allowed attackers to use specially crafted web content to escape the Web Content sandbox and perform unauthorized actions.
Devices running iOS, iPadOS, macOS, and visionOS have received patches in the latest updates to mitigate this vulnerability.
The affected range includes both older and newer models of Apple devices, emphasizing the broad impact of the bug.
This incident marks one of several zero-day vulnerabilities Apple has addressed this year, with prior fixes released for other critical issues in January and February.
While Apple has not disclosed the attackers or detailed specifics of the attack, the urgency and nature of the patches underscore the vulnerability's severity.
Users are strongly encouraged to install the latest security updates immediately to protect against potential exploitation of this and other similar vulnerabilities.