![\"macOS](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/03\/Safari-and-Chromium-based-browsers-Chrome-Edge-Brave-Opera-Vivaldi-logos-600x300-1.jpg\")
<\/p>\n<\/p>\n
On Tuesday, March 11, Apple released security updates for several of its operating systems: iOS, iPadOS, macOS, and visionOS. The updates address a single “exploited” (i.e. in-the-wild, or zero-day) vulnerability\u2014the third that Apple has patched in 2025. According to Apple, hackers had used the flaw in “an extremely sophisticated attack” against iPhones around late 2023.<\/strong><\/p>\n One day earlier, Google released an update for its Chrome browser for Mac, Windows, and Linux addressing the same vulnerability. Other Chromium-based browsers and apps have begun rolling out corresponding updates.<\/p>\n Here’s everything you need to know about these critical security fixes.<\/p>\n In this article:<\/em><\/p>\n Apple released the following updates on Tuesday to address the single security flaw:<\/p>\n Following are the details<\/a> that Apple provided about this vulnerability on Tuesday:<\/p>\n WebKit<\/strong> Google provided a few additional details in its release notes<\/a> on Monday:<\/p>\n High<\/strong> CVE-2025-24201: Out of bounds write in GPU on Mac. Reported by Apple Security Engineering and Architecture (SEAR) on 2025-03-05 \u2026 Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild.<\/span><\/strong> Notably, Apple points out that the flaw was exploited “before iOS 17.2.” Apple released that iOS update on December 11, 2023\u2014well over a year ago.<\/p>\n It’s interesting to note that Apple’s OS releases from late January 2025 (iOS 18.3, macOS Sequoia 15.3, etc.) also addressed a security vulnerability<\/a> (CVE-2025-24085) that “may have been actively exploited against versions of iOS before iOS 17.2.” Apple technically did not credit any particular researcher for that flaw, but also did not state that the vulnerability was reported anonymously; thus it appears that Apple discovered and patched both of these flaws more than a year after they were first exploited.<\/p>\n Perhaps an internal team at Apple has been spending time reverse engineering past nation-state level attack chains, in an effort to further harden its operating systems against similar attacks.<\/a><\/a><\/p>\n Apple released one other operating system update on Tuesday: tvOS 18.3.1. The update only applies to one specific model of Apple TV, as detailed below.<\/p>\n According to the Apple security releases<\/a> page, tvOS 18.3.1 “has no published CVE entries.” This indicates that the WebKit vulnerability was not patched in this update, for whatever reason.<\/p>\n On Apple’s About Apple TV 4K and Apple TV HD software updates<\/a> page, the company explains what the update includes:<\/p>\n This update addresses an issue that may prevent playback of some streaming content on Apple TV 4K (3rd generation).<\/p><\/blockquote>\n Normally, Apple updates HomePod Software (sometimes called audioOS) along with tvOS, but that wasn’t the case<\/a> this week.<\/p>\n Apple has not released any watchOS updates this week, either. Although WebKit is an underlying technology in all of Apple’s operating systems, it’s unclear whether CVE-2025-24201 may be exploitable on watchOS or tvOS.<\/p>\n Notably, Apple chose not to patch CVE-2025-24201 for iPadOS 17 this week\u2014even though the flaw clearly affects that OS. Until now, Apple has been releasing partial security patches for the previous iPad operating system, specifically for devices that are incompatible with iPadOS 18.<\/a><\/p>\n If you haven’t yet upgraded to macOS Sequoia<\/strong>, be sure to first update your critical software. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings<\/strong> > General<\/strong> > Software Update<\/strong>.<\/p>\n If you have any trouble getting the macOS update to show up, either press \u2318R at the Software Update screen, or type in the Terminal Note that Apple only ever fully patches the latest macOS version (currently, that’s macOS Sequoia)<\/strong>; older macOS versions only get a subset of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?<\/a>”<\/p>\n <\/p>\n Users of iPhone or iPad<\/strong> can open the Settings app<\/strong> and choose General<\/strong> > Software Update<\/strong> to update iOS or iPadOS on their devices. (This is an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there; or, if you use a Windows PC, you can use the Apple Devices app<\/a>.<\/p>\n Similarly, users of Apple Vision Pro<\/strong>\u00a0can open the Settings app<\/strong> and choose General<\/strong> > Software Update<\/strong> to update visionOS.<\/p>\n To update tvOS on your Apple TV<\/strong>, open the Settings app and choose System<\/strong> > Software Updates<\/strong>.<\/p>\n <\/p>\n Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data<\/strong> before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly<\/a>.<\/p>\n How to Verify Your Backups are Working Properly<\/a><\/p><\/blockquote>\n\n
What Apple and Google revealed about CVE-2025-24201<\/h3>\n
\n
\n
\nImpact: Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.)<\/span><\/strong>
\nDescription: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions.
\nCVE-2025-24201: Apple<\/p>\n<\/blockquote>\n\n
\nDescription: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions.
\nChromium issue number: 401059730<\/a><\/a><\/p>\n<\/blockquote>\nWhy did Apple patch a 2023 vulnerability in 2025?<\/h3>\n
What about tvOS, watchOS, and iPadOS 17?<\/h3>\n
How to install Apple security updates<\/h3>\n
For macOS updates<\/strong><\/h4>\n
softwareupdate -l<\/code> (that\u2019s a lowercase L) and press Return\/Enter, then check System Settings > General > Software Update again.<\/p>\nFor other Apple OS updates<\/strong><\/h4>\n
It’s wise to back up before updating<\/strong><\/h4>\n