On April 1, 2025, Apple issued critical security updates targeting older iOS and macOS devices to address three vulnerabilities that have been actively exploited. These vulnerabilities, identified as CVE-2025-24085, CVE-2025-24200, and CVE-2025-24201, pose significant security risks, and users are strongly encouraged to update their devices promptly.
Details of the Vulnerabilities:
1. CVE-2025-24085: This is a use-after-free vulnerability in the Core Media component, which could allow a malicious application already installed on a device to elevate its privileges. Apple has addressed this issue in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6.
2. CVE-2025-24200: An authorization flaw in the Accessibility component could enable an attacker to disable USB Restricted Mode on a locked device, potentially facilitating physical attacks. This vulnerability has been patched in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11.
3. CVE-2025-24201: An out-of-bounds write issue in the WebKit component could allow an attacker to craft malicious web content capable of escaping the Web Content sandbox. Fixes for this vulnerability are included in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11.
Affected Devices:
The updates are available for a range of older devices, including:
– iOS 15.8.4 and iPadOS 15.8.4: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
– iOS 16.7.11 and iPadOS 16.7.11: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation.
– iPadOS 17.7.6: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
Context and Implications:
These vulnerabilities have been actively exploited in the wild, underscoring the importance of timely updates. Apple’s decision to backport these fixes to older devices highlights the company’s commitment to user security across its product lineup.
In addition to these updates, Apple has released iOS 18.4 and iPadOS 18.4 to address 62 flaws, macOS Sequoia 15.4 to fix 131 flaws, tvOS 18.4 to resolve 36 flaws, visionOS 2.4 to patch 38 flaws, and Safari 18.4 to fix 14 flaws. While none of these newly disclosed issues have been reported as actively exploited, users are advised to update their devices to the latest versions to protect against potential threats.
Recommendations:
Users of the affected devices should:
– Update Immediately: Install the latest security updates to mitigate the risks associated with these vulnerabilities.
– Stay Informed: Regularly check for software updates and install them promptly to ensure device security.
– Exercise Caution: Be vigilant when downloading applications or clicking on links from unknown sources, as these can be vectors for exploitation.
By taking these steps, users can enhance their device security and protect their personal information from potential threats.
