Apple released security updates to backport patches to older iPhones and iPads, addressing a zero-day vulnerability that attackers exploited in "extremely sophisticated" targeted attacks.
What happened
Apple released security updates for older devices running iOS 15.8.5/16.7.12 and iPadOS 15.8.5/16.7.12 to address CVE-2025-43300, a zero-day vulnerability the company had previously patched for newer devices on August 20. The flaw exists in Apple's Image I/O framework, which enables apps to read and write image file formats. This out-of-bounds write weakness allows attackers to supply malicious input that causes programs to write data outside allocated memory buffers, potentially triggering crashes, corrupting data, or enabling remote code execution. Apple security researchers discovered the vulnerability and addressed it with improved bounds checks. The company acknowledged awareness of reports that attackers exploited this issue in sophisticated attacks against specific targeted individuals.
Going deeper
The vulnerability affects an extensive list of older Apple devices, including:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, and iPhone X
- iPad Air 2, iPad mini (4th generation), iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, and iPod touch (7th generation)
In late August, WhatsApp patched a zero-click vulnerability (CVE-2025-55177) in its iOS and macOS messaging clients, which attackers chained with Apple's CVE-2025-43300 zero-day in targeted attacks.
What was said
Apple stated, "Processing a malicious image file may result in memory corruption. An out-of-bounds write issue was addressed with improved bounds checking."
The company further added, "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."
Donncha Ó Cearbhaill, head of Amnesty International's Security Lab, said WhatsApp warned some users that their devices were targeted in an advanced spyware campaign.
In the know
Out-of-bounds write vulnerabilities occur when programs write data outside their allocated memory space, often due to insufficient input validation. The Image I/O framework processes various image file formats, making it a critical component that handles external data. Zero-click exploits are dangerous because they require no user interaction; simply receiving a malicious image file can trigger the vulnerability. Advanced spyware campaigns target high-value individuals like journalists, activists, or government officials using exploit chains that combine multiple vulnerabilities.
Why it matters
This incident shows the importance of legacy device security in healthcare environments, where older iPads and iPhones often remain in service for years due to budget constraints and compatibility requirements with medical software. Healthcare organizations frequently use iPads for patient intake, electronic health records access, and telemedicine applications. The nature of these attacks, combined with the targeting of specific individuals, suggests nation-state or advanced persistent threat actors who may specifically target healthcare professionals, researchers, or administrators with access to sensitive patient data. The vulnerability's presence in the Image I/O framework means that simply receiving a malicious image through email, messaging apps, or web browsing could compromise devices containing protected health information, potentially leading to HIPAA violations and exposing patient data.
The bottom line
Healthcare organizations using older Apple devices must immediately apply these security updates to prevent potential PHI exposure through spyware attacks. The zero-click nature of this exploit means that standard user training cannot prevent exploitation - only timely patching provides protection against these threats targeting healthcare data.
FAQs
Why does Apple continue supporting older devices with critical patches?
Apple extends patches to legacy devices because many users, including organizations, still rely on them for daily operations.
What makes zero-click exploits more dangerous than traditional malware?
Zero-click exploits require no user interaction, making them nearly impossible to prevent without patches.
Can regular antivirus apps protect against this vulnerability?
No, antivirus tools cannot block this exploit since it abuses system-level processes.
How does the Image I/O framework’s role increase the risk of exploitation?
Because it processes image data across multiple apps, a single flaw can impact many entry points.
Are Android devices affected by this Apple zero-day vulnerability?
No, this flaw is specific to Apple’s Image I/O framework in iOS and iPadOS.
%20-%202024-11-13T063002.612.jpg)