Originally published at: https://tidbits.com/2025/03/11/apple-updates-keep-malicious-web-content-in-the-sandbox/
Apple has released several updates with a supplementary fix for an attack that the company says was blocked in iOS 17.2. These include iOS 18.3.2 and iPadOS 18.3.2, macOS 15.3.2 Sequoia, visionOS 2.3.2, and Safari 18.3.1 for macOS 13 Ventura and macOS 14 Sonoma. (Apple also released tvOS 18.3.1 to fix a bug that may prevent playback of some streaming content on the 3rd-generation Apple TV 4K. It has no security release notes and may not have needed the supplementary fix.)
The updates prevent maliciously crafted Web content from breaking out of the Web Content sandbox and kicking sand in the faces of Apple users everywhere. The original vulnerability was exploited in what Apple describes as an “extremely sophisticated” attack against specific targeted individuals on versions of iOS before iOS 17.2.
Apple identifies this latest vulnerability as CVE-2025-24201. Apple filing a CVE is unusual, as the company typically only acknowledges external researchers and organizations while remaining silent about vulnerabilities discovered internally.
Given Apple’s reference to the attack being blocked over a year ago, I spent some time trying to piece together what may have taken place. Data points include:
- iOS 17.2, released on 11 December 2023, fixes four WebKit vulnerabilities to block maliciously crafted Web content. However, Apple does not describe any of these vulnerabilities as capable of escaping the Web Content sandbox. Nor does Apple use language indicating that a zero-day vulnerability is being exploited. See “Apple’s End-of-Year OS Updates Add Promised Features, Security Updates” (11 December 2023).
- iOS 17.2.1, released on 19 December 2023, has no published CVE entries and thus no security release notes. However, it was accompanied by updates to iOS 16.7.4 and iPadOS 16.7.4, macOS Sonoma 14.2.1, and Safari 17.2.1 for the two previous versions of macOS. Of the releases, only macOS 14.2.1 has any security release notes, but they detail a Screen Sharing vulnerability (see “Apple Releases macOS 14.2.1, iOS 17.2.1, iOS 16.7.4, and iPadOS 16.7.4,” 19 December 2023).
- In the release notes for Google Chrome 134.0.6998.88/.89, Google credits Apple Security Engineering and Architecture for CVE-2025-24201. Google characterizes the vulnerability as “Out of bounds write in GPU on Mac,” saying it “is aware of reports that an exploit for CVE-2025-24201 exists in the wild.”
In other words, despite Apple’s statement, I don’t think iOS 17.2 blocks the “extremely sophisticated attack against specific targeted individuals.” When I combine the lack of release notes for iOS 17.2.1 with the release of Safari 17.2.1 (suggesting a WebKit vulnerability) and the late December release date, I believe that this second set of releases was aimed at rebuilding the Web Content sandbox, but Apple could stay quiet about the details because it discovered the problem internally. Perhaps Apple was speaking loosely by including iOS 17.2.1 when it said that versions of iOS before iOS 17.2 were affected.
I suspect that Apple would have quietly integrated this fix into its next set of updates, except that it also affected Google Chrome. That required going public and filing a CVE, and once that had happened, Apple had no choice but to release these updates immediately to ensure that its current operating systems weren’t vulnerable.
Practically speaking, I think it’s important to update, but not in panic mode. Although this supplementary fix is associated with a zero-day exploit, it occurred over a year ago and was used against “specific targeted individuals,” so the vulnerability is probably not the sort of thing that would be leveraged in malware against everyday Apple users in the next few days. Install the updates as soon as it’s convenient, and stay safe out there.