Update your iPhone, iPad, and Mac ASAP to fix this dangerous security flaw - here's why

Elyse Betters Picaro / ZDNET

ZDNET's cardinal takeaways

• Apple has patched a superior information flaw connected iPhone, iPad, and Mac.
• Patch fixes a flaw that could let an attacker to instal spyware.
• The flaw has been exploited successful the chaotic against targeted individuals.

Get much in-depth ZDNET tech coverage: Add america arsenic a preferred Google source connected Chrome and Chromium browsers.

I cognize you're astir apt bushed of perpetually updating your iPhone, iPad, oregon Mac to hole 1 contented oregon another. But there's yet different update that you'll decidedly privation to install. And hopefully this volition beryllium the past 1 earlier iOS 26 and the different caller OS versions debut adjacent month.

Also: Changing these iOS 18 settings importantly improved my iPhone's artillery life

On Wednesday, Apple rolled retired updates for a slew of products and versions to resoluteness a information issue. Affecting iPhones, iPads, and Macs, the updates see iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, MacOS Sequoia 15.6.1, MacOS Sonoma 14.7.8, and MacOS Ventura 13.7.8.

How to update your Apple instrumentality - and why

If you privation to chopped to the pursuit and rapidly update your device, here's how. On your iPhone oregon iPad, spell to Settings, prime General, and pat Software Update. On your Mac, caput to System Settings, prime General, and click Software Update. On each platforms, let the latest update to download and install.

So what bash yesterday's updates carry, and wherefore should you instal them ASAP? They hole lone 1 flaw, but it's a superior one.

Also: How to wide your iPhone cache (and wherefore you should bash it earlier the iOS 26 update)

On its pages for iOS/iPadOS 18.6.2 and MacOS 15.6.1, Apple described the vulnerability arsenic 1 that affects its ImageIO framework and that "processing a malicious representation record whitethorn effect successful representation corruption." The institution added that it's alert of reports that this flaw whitethorn person been exploited successful the chaotic successful "an highly blase onslaught against circumstantial targeted individuals." Identified arsenic an "out-of-bounds constitute issue," the occupation was fixed done "improved bounds checking."

An highly blase attack

OK, let's interruption that down for those of you who privation the nitty gritty details.

ImageIO is an Apple model that lets applications work and constitute astir representation record formats. This lets your instrumentality cognize however to process and show a photograph oregon different image. "Processing a malicious representation record whitethorn effect successful representation corruption" means that an attacker could exploit a flaw successful ImageIO by creating an representation designed to corrupt your device's memory.

The "out-of-bounds constitute issue" is the existent flaw successful ImageIO, which means that the attacker could constitute information extracurricular of the representation reserved for a circumstantial program. By exploiting this flaw, they could past tally malicious codification and adjacent instal spyware. Fixing the contented required Apple to acceptable up "improved bounds checking" to guarantee that the malicious representation wouldn't beryllium capable to task beyond its assigned memory.

Also: 5 Apple products you decidedly shouldn't bargain this period (and 7 to get instead)

The unsafe portion present is that an attacker could people idiosyncratic done a seemingly innocent-looking image. This means that conscionable opening the representation could person led to compromise. Designated arsenic CVE-2025-43300, the flaw is further described connected its CVE page.

However, Apple's statement of "an highly blase onslaught against circumstantial targeted individuals" indicates that astir users wouldn't apt beryllium impacted by this issue. Instead, this sounds similar different effort by a spyware entity targeting authorities officials, governmental activists, journalists, and different high-profile individuals.

One famous, oregon infamous, institution known to motorboat these types of campaigns is NSO Group. Through its Pegasus spyware, the radical has been caught respective times exploiting flaws connected computers and mobile devices to show the activities of targeted victims.

The institution has argued that it uses its Pegasus bundle lone to assistance morganatic instrumentality enforcement bodies spell aft criminals and terrorists. But Apple has sued NSO Group and been forced to patch immoderate exploited flaws recovered successful its operating system.

Also: Installed iOS 18.6 connected your iPhone? Change these 11 settings for the champion experience

The latest updates travel conscionable a fewer days aft the merchandise of iOS 18.6.1 and WatchOS 11.6.1, which brought with them a caller (and hopefully non-patent-infringing) mentation of Apple's Blood Oxygen monitoring tool.