Article Details

Apple belatedly patches actively exploited bugs in older OSes. Cupertino already squashed 'em in more recent releases - which this week get a fresh round of fixes. Apple has delivered a big batch of OS updates, some of which belatedly patch older versions of its operating systems to address exploited-in-the-wild flaws the iGiant earlier fixed in more recent releases. The most significant fix addresses CVE-2025-24200, a hole in USB Restricted Mode – the security feature introduced back in 2018 to lock down the Lightning or USB-C port if an iDevice has been locked for over an hour. The vulnerability allowed attackers with physical access to a locked device to disable this USB Restricted Mode, potentially exposing user data. In February, Apple patched this in iOS 18.3.1, iPadOS 18.3.1 and iPadOS 17.7.5. after discovering it was being used in what it called an "extremely sophisticated attack against specific targeted individuals." That same fix is now trickling down to iOS 16.7.11 and 15.8.4 and iPadOS versions 16.7.11 and 15.8.4. Another exploited flaw (CVE-2025-24201) allowed malicious web content to escape the Safari browser engine WebKit’s Web Content sandbox. Its also now fixed by iOS versions 16.7.11 and 15.8.4 and corresponding iPadOS versions. The update to macOS Ventura, an OS first released in 2019, addressed CVE-2025-24085 - a privilege escalation vulnerability in CoreMedia caused by a use-after-free() flaw that is under active exploitation. The new macOS Ventura 13.7.5 includes the fix. Those running macOS Sonoma may wish to consider the new version 14.7.5 as it includes 90 patches. Ye olde macOS Sequoia gained over 120 patches, to fix flaws in AirDrop, the App Store, the Dock, and its kernel – which could leak user info. Upgrading to version 15.4 should squash the bugs. Apple’s slow delivery of updates for old flaws matters because the company champions a “Longevity by design” [PDF] ethos that means its products are designed to last for years. Back to the future Apple's also updated its most recent iOS and iPadOS releases to version 18.4 , and addressed 60 vulnerabilities along the way. None are known to be under active attack. Apple's low-selling Vision Pro headset also got some attention - visionOS 2.4 included over 35 patches. There were 14 fixes included in Safari 18.4, none thankfully exploited in the wild, seven of them for WebKit again. A couple of fixes for Xcode 16.3 were also bundled in. Apple’s tvOS was also upgraded to version 18.4 which includes fixes for over 40 CVEs. Apple products generally prompt users to adopt OS updates and bug fixes shortly after their release, and the process of installing them is generally painless. The iGiant does not, however, issue fixes on a predictable schedule. Given the high number of CVEs this round of OS updates addresses, miscreants are likely already picking through Apple’s changelogs and looking for opportunities, so if you can find time to update, it’s sensible to do so.