Apple has shipped emergency updates to fix an actively exploited zero-day in its ImageIO framework, warning that the flaw has already been abused in targeted attacks.
Logged as CVE-2025-43300, the bug is an out-of-bounds write issue in ImageIO, the component apps rely on to read and write standard image formats. Apple warned that the flaw could let miscreants hijack devices with a booby-trapped image – and for some iDevice users, it sounds like the damage has already been done.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” Cupertino said.
Apple went on to explain that “processing a malicious image file may result in memory corruption,” but didn’t say what that could lead to. Typically, though, these types of flaws allow stealthy attackers to spy on users and steal sensitive data.
The company credits its own security team with the find and says it has tightened bounds checking to close the hole. Fixes landed on August 20 for iOS and iPadOS 18.6.2, macOS Sequoia 15.6.1, and the still-supported Sonoma 14.7.8 and Ventura 13.7.8, with a parallel update for older iPads on iPadOS 17.7.10.
As usual, Apple is keeping the juicy details under wraps. There’s no attribution, no list of targets, and no technical write-up beyond the basics. However, the phrasing in Apple’s release notes suggests the flaw has been abused by a sophisticated hacking group, potentially a spyware developer, rather than splashed about in broad criminal attacks.
The fixes continue a bruising run of emergency updates for Apple kit this year. In June, the company had to deal with another exploited zero-day, a zero-click flaw that allowed attackers to compromise devices simply by sending a malicious image or video link through iCloud. Researchers linked that attack to Paragon’s Graphite spyware, which was found on the phones of at least two journalists. That bug was squashed in iOS 18.3.1 and its desktop counterparts, but only after it had already been put to work in the wild.
None of this will trouble most users, but the point of targeted operations is to make sure victims never notice. If your kit runs iOS, iPadOS, or macOS, install the latest build and move on with your day; if you are the sort of person who worries about being on the sharp end of “extremely sophisticated” attacks, you probably already have. ®
Source link
