- Apple fixes CVE-2025-43300, an out-of-bounds write bug in iOS and iPadOS
- The bug allowed threat actors to run remote code execution attacks
- There is evidence of abuse in the wild, so users should be on their guard
Apple has fixed a bug in iOS and iPadOS which was apparently being used in “an extremely sophisticated attack against specific targeted individuals”.
In a security advisory, Apple said it fixed an out-of-bounds write issue it found in the ImageIO framework, which lets apps open, save, and work with image files efficiently, including reading details like EXIF data, or creating thumbnails.
An out-of-bounds bug happens when software mistakenly writes data beyond the memory area it was supposed to. This can corrupt memory, crash apps, and even allow threat actors to run malicious code, remotely.
Hiding the details from the crooks
Since the bug was found in ImageIO, it allowed specially crafted images to overflow memory checks and overwrite adjacent data when processed. A threat actor could send a malicious image in an email, a message, or a webpage. If the vulnerable device were to try and render it, the out-of-bounds write might let the attacker crash the system, or even run malware.
The bug is tracked as CVE-2025-43300, and doesn’t yet have a severity score. Apple did not discuss the findings further, in order to give everyone enough time to patch, without giving other threat actors knowledge on how to abuse it.
Devices affected by this flaw include iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Apple fixed it by improving boundary checks, in versions iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
This is the sixth zero-day vulnerability Apple fixed since the start of 2025, BleepingComputer reports, including CVE-2025-24085 (January), CVE-2025-24200 (February), CVE-2025-24201 (March), and two in April, CVE-2025-31200 and CVE-2025-31201.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/UqcNtfBTccifaDs75BSsr6.jpg
Source link
