Wide-ranging Apple security update addresses over 30 vulnerabilities  – CyberScoop

Apple rolled out a series of substantial security updates Monday for its major software platforms, with advisories covering iOS, iPadOS, and two versions of macOS lines, addressing more than 30 vulnerabilities in total. 

Among the numerous fixes, iOS 18.5 and iPadOS 18.5 introduce the first security update for Apple’s in-house C1 modem, featured in the newly released iPhone 16e. The patch addresses a baseband vulnerability (CVE-2025-31214) that, according to the company, could have allowed an attacker “in a privileged network position” to intercept network traffic. While the specific details remain undisclosed, the risk highlights concerns about how devices communicate on the hardware level, since baseband processors control things like data transmission, call processing, and other network functions.

The company also patched some privacy-focused vulnerabilities in macOS Sequoia, its operating system for desktop and laptop computers. The updates cover components such as Apple Intelligence, Core Bluetooth, Finder, the Transparency, Consent, and Control (TCC) framework, and additional core system features. Each issue potentially allowed applications — sometimes sandboxed or otherwise restricted — to access sensitive personal data, ranging from identity and authentication information to usage logs and private communications.

StoreKit, Notification Center, and Core Bluetooth were also patched after researchers reported privacy issues that could expose user data through logs, improperly managed application states, or permissions lapses. As with other updates, Apple did not indicate that any of these flaws were exploited prior to patching.

Critical vulnerabilities across all platforms reveal recurring categories of vulnerabilities: out-of-bounds reads, memory corruption, double-free errors, and logic errors that break down core security controls. Multiple vulnerabilities affected shared codebases or cross-platform components, including AppleJPEG, CoreMedia, and WebKit, which are all used in iOS, iPadOS, and macOS. 

Some other vulnerabilities addressed include:

• Attackers with physical access potentially retrieving deleted content or data from Apple Notes, even if a device is locked.
• Malicious applications gaining elevated privileges, escaping sandboxes, or bypassing privacy controls.
• Weaknesses in open-source libraries (e.g., libexpat, OpenSSH) bundled with Apple software, several of which could lead to arbitrary code execution or data leaks.
• Flaws in the WebKit web engine allowing denial-of-service, information leaks, or memory corruption when parsing web content — a recurring category for Apple browser security.

While Apple said there is no indication of active exploitation for these vulnerabilities, the breadth and variety of the issues underscore the complexity of maintaining security in platforms as popular and interconnected as the company’s ecosystem. Researchers noted that eight different macOS Sequoia components separately had flaws with privacy impact.

Further details are available on Apple’s website. 

The post Wide-ranging Apple security update addresses over 30 vulnerabilities appeared first on CyberScoop.

  –

Read More  – CyberScoop