CyberSecurity news
FlagThis - #ios
|
Pierluigi Paganini@securityaffairs.com
//
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.
The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist. Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
Share:
References :
Classification:
Bill Mann@CyberInsider
//
Apple has released a series of critical security updates for its operating systems, including iOS 18.4 and macOS Sequoia 15.4. These updates address a total of 145 vulnerabilities, including several zero-day exploits that may have been actively exploited. Users of iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode are urged to update their devices immediately to safeguard against potential security threats. Notably, watchOS was missing from this patch lineup.
Apple pushed emergency updates targeting three zero-day vulnerabilities identified as CVE-2025-24200 (Accessibility) and CVE-2025-24201 (WebKit). These patches have been backported to older iOS and iPadOS versions, specifically 15.8.4 and 16.7.11, ensuring that users on older devices are also protected from these actively exploited flaws. The updates include fixes for bugs in WebKit, Siri, Safari, and libxpc, along with numerous other security enhancements, underscoring Apple's commitment to addressing security vulnerabilities across its product ecosystem.
Share:
References :
Classification:
Pierluigi Paganini@Security Affairs
//
Apple released a substantial set of security updates on March 31st, 2025, addressing a total of 145 vulnerabilities across its product ecosystem, including iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode. Notably absent from this update was watchOS. The updates included backported fixes for three actively exploited zero-day vulnerabilities, specifically targeting older iOS and iPadOS versions. These vulnerabilities had already been addressed in more recent versions a few weeks prior.
The most critical fix is for CVE-2025-24200, a vulnerability that allowed attackers to bypass USB Restricted Mode. This feature, introduced in 2018 to protect locked iDevices, could be disabled, potentially exposing user data. Another significant fix addresses CVE-2025-24201, a flaw in the WebKit engine that allowed malicious web content to escape Safari's sandbox. Additionally, macOS Ventura received a patch for CVE-2025-24085, a privilege escalation vulnerability in CoreMedia. These updates are now available for iOS versions 16.7.11 and 15.8.4, iPadOS versions 16.7.11 and 15.8.4, and macOS Ventura 13.7.5.
Share:
References :
Classification:
|