Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


              Apple Updates Block Zero-Day Malicious Image Exploit

   Adam Engst

   Apple has released a set of emergency security updates, including
   [1]iOS 18.6.2 and iPadOS 18.6.2, [2]iPadOS 17.7.10, [3]macOS 15.6.1
   Sequoia, [4]macOS 14.7.8 Sonoma, and [5]macOS 13.7.8 Ventura. The
   updates address a critical vulnerability in ImageIO that has been
   exploited.

   The ImageIO vulnerability, which Apple credits as being discovered
   internally, could allow an attacker to use a maliciously crafted image
   file to corrupt memory in an exploitable way. Apple acknowledged that
   this security flaw 'may have been exploited in an extremely
   sophisticated attack against specific targeted individuals.' This
   wording suggests that the vulnerability was weaponized for nation-state
   use in operations against high-value targets, likely involving spyware
   like Pegasus.

   Given the active exploitation, we recommend updating your devices
   promptly, especially if you are in a position that might be targeted by
   sophisticated attackers. While most users are extremely unlikely to be
   affected, there's no benefit in leaving your devices vulnerable in case
   the exploit is resold to less discerning attackers.

References

   1. https://support.apple.com/en-us/124925
   2. https://support.apple.com/en-us/124926
   3. https://support.apple.com/en-us/124927
   4. https://support.apple.com/en-us/124928
   5. https://support.apple.com/en-us/124929

.