Pierluigi Paganini
May 13, 2025
Apple released urgent iOS and macOS security updates to patch critical flaws that could allow attackers to execute malicious code just by opening a crafted image, video, or website:
Apple’s iOS 18.5 update addressed multiple critical flaws in AppleJPEG, CoreMedia, and other components that could let attackers run code or leak data via malicious media files.
The company patched severe file-parsing flaws in CoreAudio, CoreGraphics, and ImageIO that could lead to unexpected app termination or corrupt process memory, or leak data when opening malicious content.
Some bugs could trigger a denial-of-service condition or lead to memory corruption.
One of the issues, tracked as CVE-2025-31217, can be triggered by processing maliciously crafted web content, leading to an unexpected Safari crash.
Processing maliciously crafted web content may lead to an unexpected Safari crash.
Apple’s also addressed a Baseband flaw, tracked as CVE-2025-31214, that can be exploited by an attacker to intercept traffic on iPhone 16e.
The IT giant also fixed a mDNSResponder privilege escalation bug, tracked as CVE-2025-31222, a Notes issue leaking data from locked screens, and other security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
iOS 18.5 is now available for iPhone XS and newer models, while the accompanying iPadOS update supports iPad Pro (2018 and later), iPad Air 3rd generation, iPad 7th generation, iPad mini 5, and subsequent devices.
Apple also released updates for macOS Sequoia, macOS Sonoma, macOS Ventura, as well as for watchOS, tvOS, and visionOS.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, iOS)
