Apple lately issued a spherical of system updates to patch a zero-day exploit that was used to focus on Google Chrome customers. The vulnerability, tracked as CVE-2025-6558, was found in June by Google’s Menace Evaluation Group (TAG), which mentioned it had been actively exploited within the wild.
Which Apple working techniques had been patched?
Google Chrome is obtainable on varied Apple units, so patches had been launched for these working techniques:
- macOS Sequoia 15.6
- iOS 18.6
- iPadOS 18.6
- tvOS 18.6
- iPadOS 17.7.9
- visionOS 2.6
- watchOS 11.6
Some working techniques are used on a number of units. For instance, iPadOS 18.6 is featured in each technology of the iPad Professional 11-inch and 13-inch, but it surely’s solely used within the third technology and later of the iPad Professional 12.9-inch. It’s additionally used within the iPad Air third technology or later, the iPad Mini fifth technology or later, and the iPad seventh technology or later.
There’s a comparable vulnerability in Apple’s Safari, although it’s solely recognized to crash the online browser. In accordance with Apple, the exploit has not been used to assault any Safari customers.
How hackers used the Chrome exploit
The CVE-2025-6558 bug exploits validation throughout the ANGLE (Virtually Native Graphics Layer Engine), which is utilized in Chrome’s rendering pipeline. As soon as compromised, hackers can’t craft malicious webpages to execute code throughout the browser’s GPU course of, permitting them to bypass the inner safeguards that should separate internet browser processes from OS processes. This could probably grant the attacker elevated entry to the system.
A July 22 weblog put up by the Workplace of Data Expertise Companies with New York State reads, partially: “A number of vulnerabilities have been found in Google Chrome, essentially the most extreme of which might enable for arbitrary code execution. Relying on the privileges related to the person an attacker might then set up packages; view, change, or delete knowledge; or create new accounts with full person rights.”
Who’s behind the assault?
Google’s TAG has not but attributed CVE-2025-6558 to any particular attacker or menace group, however the group often stories on threats linked to state-sponsored hackers.
On July 15, Google launched its personal patch for Chrome that lined patched variations 138.0.7204.157/.158 for Home windows and macOS and 138.0.7204.157 for Linux.
Defending Apple and Google customers from the most recent threats
The newest vulnerability marks the sixth zero-day exploit patched by Apple in 2025 up to now, and it’s doable we’ll see extra thai 12 months. As at all times, Apple recommends downloading and putting in the most recent updates as quickly as they’re made obtainable to the general public.
The UK is setting daring precedents for a way cellular platforms function — and who controls them. Learn our protection of the Competitors and Markets Authority’s newest transfer in opposition to Large Tech.
