Apple rushes out iOS update to patch dangerous image file exploit

Source Cryptopolitan

Less than a week after releasing iOS 18.6.1, Apple has launched update 18.6.2, which could supposedly stop hackers from accessing devices through “malicious image files.”

The flaw, tracked as CVE-2025-43300, was identified inside Apple’s Image I/O framework, which handles the reading and writing of image files across its devices. According to the iPhone manufacturer, processing a maliciously crafted image could result in memory corruption and could allow an attacker to execute malicious code on the device.

Apple said the bug had been exploited by an “extremely sophisticated attack against specific targeted individuals.” The company fixed the problem with iOS 18.6.2 and parallel security patches for macOS Sequoia, Sonoma and Ventura, issued in an unscheduled update late Wednesday.

“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company wrote on its official support page.

Affected devices and update availability

The iOS 18.6.2 update covers all iPhones released since 2018, beginning with the iPhone XS, XS Max, XR, and the second- and third-generation iPhone SE. The patch also extends to Apple’s latest devices, including the iPhone 16 series and iPhone 16e.

Supported iPad models include the iPad Pro 13-inch, iPad Pro 12.9-inch (2nd generation and later), iPad Pro 11-inch (1st generation and later), iPad Pro 10.5-inch, iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).

Apple issues urgent iOS update, iOS 18.6.2 update pinned critical for iPhone and iPads.
iOS new update notes. Source: Apple Support.

The update is also available for Apple’s Mac computers running the three most recent versions of macOS. The tech giant is asking users not to wait for the automatic rollout and instead apply the patch manually, as the auto update could take time reaching all devices.

How did update 18.6.1 make devices vulnerable?

According to several security analysts, the flaw is an out-of-bounds write vulnerability, a type of bug that allows attackers to access or manipulate sections of device memory that should normally be restricted.

Pieter Arntz, a former Microsoft consultant and researcher at cybersecurity firm Malwarebytes, explained in a blog post that the vulnerability could allow attackers to insert and run code in “inaccessible” parts of memory. 

“Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions,” he wrote.

Arntz mentioned adversaries could exploit the bug by creating a malicious image file that corrupts memory as soon as the device processes it, even without user interaction. He compared the attack to so-called zero-click exploits, where spyware or malware is triggered simply by receiving or processing malicious content.

“Processing such a malicious image file would result in memory corruption,” he said. “Memory corruption issues can be manipulated to crash a process or run an attacker’s code.”

Apple has admitted it had received reports of the flaw being used in targeted attacks against certain individuals, but did not identify the victims.

Sean Wright, head of application security at Featurespace, believes the exploit was too complex to be deployed on a wide scale.

“Thankfully, the exploit does appear to be complex and likely only exploited in a very targeted attack, so most ordinary users are unlikely to become a victim,” Wright told Forbes. “But I would still highly recommend applying the fix as soon as possible to be on the safe side.”

If you're reading this, you’re already ahead. Stay there with our newsletter.

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Ethereum Price Forecast: ETH bounces off $4,100 as whales show resilienceEthereum (ETH) saw a 5% gain on Wednesday as large-scale holders continued accumulating the altcoin despite increased profit-taking from retailers.
Author  FXStreet
Yesterday 01: 40
Ethereum (ETH) saw a 5% gain on Wednesday as large-scale holders continued accumulating the altcoin despite increased profit-taking from retailers.
placeholder
Bitcoin Price Forecast: BTC steadies at $113,500 as traders await Powell’s Jackson Hole speechBitcoin (BTC) steadies around $113,500 at the time of writing on Thursday after falling 3% so far this week.
Author  FXStreet
Yesterday 09: 40
Bitcoin (BTC) steadies around $113,500 at the time of writing on Thursday after falling 3% so far this week.
placeholder
Ripple Price Forecast: XRP slips as investors lock in $300M profit ahead of Fed Chair Powell's speechXRP fell 3% to $2.85 on Thursday as investors booked over $300 million in profits following hawkish Federal Open Market Committee (FOMC) minutes from its July meeting.
Author  FXStreet
12 hours ago
XRP fell 3% to $2.85 on Thursday as investors booked over $300 million in profits following hawkish Federal Open Market Committee (FOMC) minutes from its July meeting.
placeholder
Ethereum Price Forecast: ETH risks selloff as supply in profit tops 90% ahead of Powell's speechEthereum's (ETH) large percentage of supply in profit could stir selling activity as hawkish signs continue to grow on Thursday, ahead of Federal Reserve (Fed) Chair Jerome Powell's speech at Jackson Hole.
Author  FXStreet
12 hours ago
Ethereum's (ETH) large percentage of supply in profit could stir selling activity as hawkish signs continue to grow on Thursday, ahead of Federal Reserve (Fed) Chair Jerome Powell's speech at Jackson Hole.
placeholder
Gold slips as reduced Fed rate cut bets underpin USD ahead of Powell's Jackson Hole speechGold (XAU/USD) remains under some selling pressure for the second straight day on Friday, though it manages to hold above the overnight swing low.
Author  FXStreet
7 hours ago
Gold (XAU/USD) remains under some selling pressure for the second straight day on Friday, though it manages to hold above the overnight swing low.
goTop
quote