Install quickly: Apple fixes zero-day attack in WebKit
According to Google, a WebKit gap in Chrome has already been actively attacked. However, Apple's security notes do not contain any information on this.
Safari icon in wrong colors: The Apple browser should be updated quickly.
(Image: Apple)
Apple's updates for iOS, iPadOS, and macOS released on Wednesday night should be installed quickly. As has just been revealed, this also fixes a WebKit bug for which an exploit already exists. However, this has so far only been used to attack Chrome users, as stated in the corresponding NIST report (CVE-2025-6558). The bug is rated “Severity: High”. Confusing: Apple does not warn of known active attacks in its security documents – apparently because there are no corresponding reports for Apple's Safari browser.
Is Safari just crashing?
According to Google, whose own Threat Analysis Group (TAG) discovered the bug, it has been observed in Chrome versions before 138.0.7204.157 how a remote attacker was able to perform a sandbox breakout via a manipulated website, which then leads to further problems. The reason is the processing of unverified inputs in the GPU and ANGLE modules.
Videos by heise
Apple itself only writes that CVE-2025-6558 could lead to an “unexpected crash” in Safari, there is no mention of a sandbox outbreak. It could therefore be that the severity is lower on Apple platforms, but there is no confirmation of this as yet. Apple also writes that it is a vulnerability “in open-source code” and that Apple's own software is “among the affected products.”
Update for older macOS versions
The WebKit bug is fixed – along with numerous other bugs – in iOS 18.6 as well as in iPadOS 18.6 and macOS 15.6. Furthermore, an update for macOS 13 (Ventura) and 14 (Sonoma) was also released with a one-day delay: Safari 18.4 as a single download. It is not yet clear why Apple initially delayed the browser for the older systems. iPadOS 17.7.9, which Apple released alongside iOS 18.6 and the like, also contains the fix. iOS 17, on the other hand, is no longer being maintained by the manufacturer.
This process shows that you have to pay close attention to security updates. Google's TAG has not yet revealed who the attackers were and how widespread the exploit on Chrome is. Anyone who uses the browser (or one based on Chromium) should also update it urgently. Installing a current Safari or macOS version will not help against the exploit.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
