Apple has launched iOS 18.3.2, an working system replace that fixes a vulnerability in WebKit, the browser engine utilized by Safari to render net pages. The flaw allowed malicious code working contained in the Net Content material sandbox, an remoted surroundings for net processes designed to restrict safety dangers, to influence different components of the machine.
Apple beforehand fastened this vulnerability, CVE-2025-24201, with the discharge of iOS 17.2 again in late 2023, however this launch provides a supplemental patch. Within the launch notes for iOS 18.3.2, Apple acknowledged that the problem has been “addressed with improved checks to forestall unauthorized actions.” That very same patch has additionally been utilized in iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.
“Vulnerabilities in WebKit needs to be patched rapidly, as it’s the framework that powers Safari and renders different web-based content material,” Adam Boynton, Senior Safety Technique Supervisor at Apple safety agency Jamf, advised TechRepublic in an e-mail.
“On this specific flaw, attackers have been ready to make use of maliciously crafted net content material to flee the iOS Net Content material sandbox. Breaking out of a sandbox permits an attacker to entry information in different components of the working system.”
A mysterious delay: Why did Apple take so lengthy?
It isn’t clear why the preliminary repair was not enough or why Apple has solely now launched the replace this week, however the firm does confer with “a particularly subtle assault in opposition to particular focused people on variations of iOS earlier than iOS 17.2” which can have occurred not too long ago. This means that state-sponsored hackers have been exploiting the vulnerability to surveil high-profile people, reminiscent of authorities officers, journalists, or senior enterprise executives.
SEE: Why is Apple Taking Authorized Motion In opposition to UK’s Authorities?
The truth that this replace comes only a month after iOS 18.3.1 and addresses just one safety problem does point out urgency. Cupertino usually withholds detailed details about vulnerabilities within the early levels to provide customers time to replace their units. This technique helps stop attackers from exploiting the flaw earlier than the vast majority of customers have secured their techniques with the most recent replace.
Curiously, iOS 18.3.1 landed simply someday after Google launched an replace for its Chrome browser on Mac, Home windows, and Linux units which additionally patches CVE-2025-24201. Like Apple, Google described it as an out-of-bounds write problem for the Mac GPU and famous that it had a excessive influence and is conscious that an exploit for it exists within the wild. It was reported to Google by Apple Safety Engineering and Structure on March 5, so it appears Apple has been working by itself patch for quite a few weeks.
Why it’s best to replace your Apple units now
On high of patching CVE-2025-24201, the Apple replace “addresses a problem that will stop playback of some streaming content material.” Some social media customers have additionally reported that the replace masses with Apple Intelligence, Apple’s bespoke synthetic intelligence system, robotically enabled, even when the consumer had beforehand switched it off. That is irritating some customers who don’t want for his or her information to be analysed by the mannequin, however they’re able to change it off once more.
Regardless of this, it’s really useful that Apple customers replace their units as quickly as attainable, particularly these working an older working system than iOS 17.2, to forestall unhealthy actors making an attempt to take advantage of the now-publicised vulnerability. It’s obtainable for iPhone XS and all newer iPhones, in addition to iPad Professional (11-inch, third gen and later, and 12.9-inch,1st gen and later), iPad Air (third gen and later), iPad (seventh gen and later), and iPad mini (fifth gen and later).
You ought to be prompted in regards to the replace robotically, but when not, you’ll be able to provoke the obtain manually by going to Settings, Basic, after which Software program Replace.