Source URL: https://www.theregister.com/2025/01/28/apple_cve_2025_24085/
Source: The Register
Title: Apple plugs security hole in its iThings that’s already been exploited in iOS
Feedly Summary: Cupertino kicks off the year with a zero-day
Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug.…
AI Summary and Description: Yes
**Summary:** Apple has patched a significant vulnerability (CVE-2025-24085) that affects multiple devices, including iPhones, iPads, and Macs, which has already been exploited in the wild. This use-after-free flaw could allow malicious apps to gain elevated privileges, underlining the importance of timely software updates for security.
**Detailed Description:**
Apple has recently addressed a critical vulnerability in its software ecosystem that poses substantial risks to user security. This vulnerability, tracked as CVE-2025-24085, is a use-after-free flaw located within the CoreMedia component, which is integral to how Apple devices handle audio and video functionalities. Here are the critical aspects of this vulnerability and its implications:
– **Vulnerability Details:**
– The flaw is categorized as a use-after-free vulnerability, which can be exploited by malicious applications to gain unauthorized control over devices.
– The exploit has already been confirmed as a zero-day, meaning it was being actively exploited before Apple released the patch.
– **Affected Devices:**
– This vulnerability impacts a wide range of Apple devices, including:
– iPhones (starting from iPhone XS and later)
– iPads (from iPad Pro models to iPad mini 5)
– Apple TV (HD and 4K models)
– Vision Pro goggles
– macOS devices running Sequoia
– **Security Updates:**
– Apple has released software updates addressing CVE-2025-24085 across various platforms, including:
– iOS 18.3 and iPadOS 18.3
– visionOS 2.3 for Vision Pro
– tvOS 18.3 for Apple TV
– macOS Sequoia version 15.3 for Macs
– **Additional Vulnerabilities:**
– Alongside CVE-2025-24085, Apple addressed several other security flaws, including:
– CVE-2025-24137: Exploitable via AirPlay to run arbitrary code.
– CVE-2025-24145: An app’s ability to access a user’s phone number from system logs.
– CVE-2025-24107 and CVE-2025-24159: Allowing rogue apps to exploit root privileges and gain kernel-level access respectively.
– **Implications for Users and Security Needs:**
– Users are strongly advised to install the latest updates to mitigate the risks posed by these vulnerabilities.
– This incident illustrates the critical necessity for organizations and individuals to maintain up-to-date software and actively monitor for security patches, especially when multiple vulnerabilities emerge concurrently.
In conclusion, the swift response from Apple underscores the importance of proactive security measures in protecting infrastructure and personal data against evolving threats in the software landscape. Security professionals should continuously advocate for rigorous patch management processes in their organizations to mitigate risks related to vulnerabilities like CVE-2025-24085.