You should update your iPhone, iPad, and Mac ASAP to fix this dangerous security flaw

Elyse Betters Picaro / ZDNET

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• Apple has patched a superior information flaw connected iPhone, iPad, and Mac.
• Patch fixes a flaw that could let an attacker to instal spyware.
• The flaw has been exploited successful the chaotic against targeted individuals.

I cognize you're astir apt bushed of perpetually updating your iPhone, iPad, oregon Mac to hole 1 contented oregon another. But there's yet different update that you'll decidedly privation to install. And hopefully this volition beryllium the past 1 earlier iOS 26 and the different caller OS versions debut adjacent month.

Also: Changing these iOS 18 settings importantly improved my iPhone's artillery life

Last Wednesday, Apple rolled retired updates for a slew of products and versions to resoluteness a information issue. Affecting iPhones, iPads, and Macs, the updates see iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, MacOS Sequoia 15.6.1, MacOS Sonoma 14.7.8, and MacOS Ventura 13.7.8.

How to update your Apple instrumentality - and why

If you privation to chopped to the pursuit and rapidly update your device, here's how. On your iPhone oregon iPad, spell to Settings, prime General, and pat Software Update. On your Mac, caput to System Settings, prime General, and click Software Update. On each platforms, let the latest update to download and install.

So what bash yesterday's updates carry, and wherefore should you instal them ASAP? They hole lone 1 flaw, but it's a superior one.

Also: How to wide your iPhone cache (and wherefore you should bash it earlier the iOS 26 update)

On its pages for iOS/iPadOS 18.6.2 and MacOS 15.6.1, Apple described the vulnerability arsenic 1 that affects its ImageIO framework and that "processing a malicious representation record whitethorn effect successful representation corruption." The institution added that it's alert of reports that this flaw whitethorn person been exploited successful the chaotic successful "an highly blase onslaught against circumstantial targeted individuals." Identified arsenic an "out-of-bounds constitute issue," the occupation was fixed done "improved bounds checking."

An highly blase attack

OK, let's interruption that down for those of you who privation the nitty-gritty details.

ImageIO is an Apple model that lets applications work and constitute astir representation record formats. This lets your instrumentality cognize however to process and show a photograph oregon different image. "Processing a malicious representation record whitethorn effect successful representation corruption" means that an attacker could exploit a flaw successful ImageIO by creating an representation designed to corrupt your device's memory.

The "out-of-bounds constitute issue" is the existent flaw successful ImageIO, which means that the attacker could constitute information extracurricular of the representation reserved for a circumstantial program. By exploiting this flaw, they could past tally malicious codification and adjacent instal spyware. Fixing the contented required Apple to acceptable up "improved bounds checking" to guarantee that the malicious representation wouldn't beryllium capable to task beyond its assigned memory.

Also: 5 Apple products you decidedly shouldn't bargain this period (and 7 to get instead)

The unsafe portion present is that an attacker could people idiosyncratic done a seemingly innocent-looking image. This means that conscionable opening the representation could person led to compromise. Designated arsenic CVE-2025-43300, the flaw is further described connected its CVE page.

However, Apple's statement of "an highly blase onslaught against circumstantial targeted individuals" indicates that astir users wouldn't apt beryllium impacted by this issue. Instead, it sounds similar different effort by a spyware entity to people authorities officials, governmental activists, journalists, and different high-profile individuals.

One famous, oregon infamous, institution known to motorboat these types of campaigns is NSO Group. Through its Pegasus spyware, the radical has been caught respective times exploiting flaws connected computers and mobile devices to show the activities of targeted victims.

The institution has argued that it uses its Pegasus bundle lone to assistance morganatic instrumentality enforcement bodies spell aft criminals and terrorists. But Apple has sued NSO Group and been forced to patch immoderate exploited flaws recovered successful its operating system. 

"CVE-2025-43300 could let an attacker to trigger representation corruption if a idiosyncratic opens a malicious representation file, perchance enabling malicious codification execution and compromise of the iPhone," Adam Boynton, elder information strategy manager of mobile instrumentality information steadfast Jamf, said successful an email to ZDNET.

Also: Installed iOS 18.6 connected your iPhone? Change these 11 settings for the champion experience

"Apple has indicated that this vulnerability has been exploited successful sophisticated, targeted attacks, which typically absorption connected individuals with highly valued entree oregon contacts, specified arsenic journalists, lawyers, activists, and authorities officials," Boynton added. "While Apple has not confirmed whether this circumstantial flaw was linked to spyware, akin vulnerabilities successful ImageIO and WebKit person antecedently been utilized successful Pegasus campaigns."

The latest updates travel conscionable a fewer days aft the merchandise of iOS 18.6.1 and WatchOS 11.6.1, which brought with them a caller (and hopefully non-patent-infringing) mentation of Apple's Blood Oxygen monitoring tool.