Apple fixes critical Chrome zero-day security flaw
▼ Summary
– Apple released security updates to patch a high-severity zero-day vulnerability (CVE-2025-6558) exploited in attacks targeting Google Chrome users.
– The flaw, found in the ANGLE graphics layer, allows attackers to execute arbitrary code via malicious HTML pages and potentially escape browser sandbox protections.
– Google’s Threat Analysis Group discovered and reported the vulnerability in June, with Chrome patching it on July 15; Apple addressed it in updates for iOS, macOS, tvOS, and other devices.
– CISA added CVE-2025-6558 to its exploited vulnerabilities catalog, requiring federal agencies to patch by August 12 and urging all organizations to prioritize fixes.
– Apple has patched five other zero-day vulnerabilities exploited in attacks since January 2025, highlighting ongoing security threats.
Apple has rolled out urgent security updates to patch a critical zero-day vulnerability affecting Chrome users, marking another crucial step in protecting devices from potential cyberattacks. The flaw, identified as CVE-2025-6558, stems from improper input validation in the ANGLE graphics layer, a component responsible for translating OpenGL commands into formats compatible with various GPU APIs.
This security gap could allow attackers to execute malicious code within the browser’s GPU process by tricking users into visiting specially designed webpages. Worse yet, successful exploitation might enable hackers to break free from Chrome’s protective sandbox, gaining deeper access to the operating system.
The vulnerability was first uncovered in June by researchers from Google’s Threat Analysis Group (TAG), a team specializing in countering state-sponsored cyber threats. Google swiftly addressed the issue in Chrome on July 15, labeling it as actively exploited in the wild. Though details about the attacks remain scarce, TAG’s findings often involve sophisticated campaigns targeting activists, journalists, and political figures.
Apple’s latest patches cover a wide range of devices, including iPhone XS and newer models running iOS 18.6. According to Apple, the flaw could cause Safari to crash when processing harmful web content. The company emphasized that the issue originates from open-source code, affecting multiple software projects beyond its own ecosystem.
The Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-6558 to its list of actively exploited vulnerabilities, urging federal agencies to apply fixes by August 12. While the directive primarily targets government networks, CISA strongly recommends that all organizations prioritize this update due to its high risk.
This marks Apple’s sixth zero-day patch this year, following similar fixes in January, February, March, and April. The repeated discoveries highlight the growing sophistication of cyber threats and the importance of timely software updates in safeguarding sensitive data.For users, the message is clear: delaying these updates could leave devices exposed to serious security risks. Ensuring all Apple products are running the latest software versions remains the best defense against emerging threats.
(Source: BLEEPING COMPUTER)
