Apple announced a new round of security updates, addressing dozens of vulnerabilities across its desktop and mobile products, including patches for two recent zero-day flaws that had remained unaddressed in older iPhones.
The most important update involves a flaw in WebKit tracked as CVE-2025-24201, which is an out-of-bounds write issue that could allow attackers to craft malicious web content that breaks out of WebKit's Web Content sandbox, potentially leading to arbitrary code execution. Apple first addressed the flaw with the release of iOS 18.3.2, iPadOS 18.3.2, and Safari 18.3.1 on March 11. However, the update also applies to older devices, with iOS 16.7.11 and iPadOS 16.7.11, as well as iOS 15.8.4 and iPadOS 15.8.4, now receiving patches as well.
Apple confirmed that the WebKit bug had been actively exploited in sophisticated attacks targeting specific users, especially those on versions of iOS prior to 17.2.
In addition to the WebKit vulnerability, Apple has also addressed CVE-2025-24200, an authorization issue that could allow a malicious actor to disable USB Restricted Mode on a locked device. This vulnerability was first fixed in February with iOS 18.3.1 and iPadOS 18.3.1. Apple also stated that the flaw had been exploited in certain targeted attacks.
Apple also released a major update for the latest generation of iPhones and iPads, including iOS 18.4 and iPadOS 18.4, which resolve a total of 60 vulnerabilities that could lead to a variety of issues, including arbitrary code execution, crashes, privilege escalation, information leaks, and even the potential for attackers to bypass security protections. The updates also address vulnerabilities that could allow for user tracking, spoofing, and cross-site scripting (XSS) attacks.
For users with older devices, iPadOS 17.7.6 was rolled out with patches for 38 flaws, including several that could result in similar risks, such as denial-of-service (DoS), memory corruption, and unauthorized access.
In related news, France's antitrust watchdog fined Apple €150 million ($162 million) for violating competition laws with its App Tracking Transparency (ATT) feature. While the intention of ATT, which requires apps to ask users for permission before tracking them, was not criticized, the French Competition Authority ruled that the way Apple implemented it was excessive and not proportional to its goal of protecting user privacy.
