Apple Updates Everything: July 2025
Apple today released updates for iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. This is a feature release, but it includes significant security updates. Apple patches a total of 89 different vulnerabilities. None of these vulnerabilities has been identified as exploited.
Apple's vulnerability descriptions are not very telling. Most vulnerabilities are likely DoS issues, causing a system or individual subsystems to crash. There are a few privilege escalation and sandbox escape vulnerabilities that Apple addressed in this update. Vulnerabilities identified as memory corruption or heap corruption may lead to code execution, but the exact scope is difficult to ascertain from Apple's limited information.
There are a few "interesting" vulnerabilities:
CVE-2025-43217: Privacy Indicators for microphone or camera access may not be correctly displayed. This, likely, refers to the green dot displayed next to the control center, not the physical LED used by some Apple laptops.
CVE-2025-43240: A download's origin may be incorrectly associated. A "Mark of the Web" issue? Apple uses extended file attributes for this. Sadly, no details to review existing downloads.
For macOS, security-only updates are available for versions back to Ventura (macOS 13). For iOS/iPad OS, updates are available for 18 and 17.
| iOS 18.6 and iPadOS 18.6 | iPadOS 17.7.9 | macOS Sequoia 15.6 | macOS Sonoma 14.7.7 | macOS Ventura 13.7.7 | watchOS 11.6 | tvOS 18.6 | visionOS 2.6 |
|---|---|---|---|---|---|---|---|
| CVE-2025-24119: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges. Affects Finder |
|||||||
| x | x | ||||||
| CVE-2025-24188: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects Safari |
|||||||
| x | |||||||
| CVE-2025-24220: An app may be able to read a persistent device identifier. Affects Sandbox Profiles |
|||||||
| x | |||||||
| CVE-2025-24224: A remote attacker may be able to cause unexpected system termination. Affects Kernel |
|||||||
| x | x | ||||||
| CVE-2025-31229: Passcode may be read aloud by VoiceOver. Affects Accessibility |
|||||||
| x | |||||||
| CVE-2025-31243: An app may be able to gain root privileges. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | |||||
| CVE-2025-31273: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2025-31275: A sandboxed process may be able to launch any installed app. Affects MediaRemote |
|||||||
| x | |||||||
| CVE-2025-31276: Remote content may be loaded even when the 'Load Remote Images' setting is turned off. Affects Mail Drafts |
|||||||
| x | x | ||||||
| CVE-2025-31278: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit |
|||||||
| x | |||||||
| CVE-2025-31279: An app may be able to fingerprint the user. Affects Find My |
|||||||
| x | x | x | x | ||||
| CVE-2025-31280: Processing a maliciously crafted file may lead to heap corruption. Affects Model I/O |
|||||||
| x | |||||||
| CVE-2025-31281: Processing a maliciously crafted file may lead to unexpected app termination. Affects Model I/O |
|||||||
| x | x | x | x | ||||
| CVE-2025-43184: A shortcut may be able to bypass sensitive Shortcuts app settings. Affects Shortcuts |
|||||||
| x | x | ||||||
| CVE-2025-43185: An app may be able to access protected user data. Affects Voice Control |
|||||||
| x | |||||||
| CVE-2025-43186: Parsing a file may lead to an unexpected app termination. Affects afclip |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2025-43187: Running an hdiutil command may unexpectedly execute arbitrary code. Affects Disk Images |
|||||||
| x | x | x | |||||
| CVE-2025-43188: A malicious app may be able to gain root privileges. Affects DiskArbitration |
|||||||
| x | |||||||
| CVE-2025-43189: A malicious app may be able to read kernel memory. Affects WebContentFilter |
|||||||
| x | x | ||||||
| CVE-2025-43191: An app may be able to cause a denial-of-service. Affects Admin Framework |
|||||||
| x | x | x | |||||
| CVE-2025-43192: Account-driven User Enrollment may still be possible with Lockdown Mode turned on. Affects Managed Configuration |
|||||||
| x | x | ||||||
| CVE-2025-43193: An app may be able to cause a denial-of-service. Affects SecurityAgent |
|||||||
| x | x | x | |||||
| CVE-2025-43194: An app may be able to modify protected parts of the file system. Affects PackageKit |
|||||||
| x | x | x | |||||
| CVE-2025-43195: An app may be able to access sensitive user data. Affects CoreServices |
|||||||
| x | x | x | |||||
| CVE-2025-43196: An app may be able to gain root privileges. Affects libxpc |
|||||||
| x | x | x | |||||
| CVE-2025-43197: An app may be able to access sensitive user data. Affects Single Sign-On |
|||||||
| x | x | x | |||||
| CVE-2025-43198: An app may be able to access protected user data. Affects Dock |
|||||||
| x | x | ||||||
| CVE-2025-43199: A malicious app may be able to gain root privileges. Affects Core Services |
|||||||
| x | x | x | |||||
| CVE-2025-43202: Processing a file may lead to memory corruption. Affects libnetcore |
|||||||
| x | x | ||||||
| CVE-2025-43206: An app may be able to access protected user data. Affects System Settings |
|||||||
| x | x | x | |||||
| CVE-2025-43209: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects ICU |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-43210: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects CoreMedia |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-43211: Processing web content may lead to a denial-of-service. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43212: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43215: Processing a maliciously crafted image may result in disclosure of process memory. Affects Model I/O |
|||||||
| x | |||||||
| CVE-2025-43216: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43217: Privacy Indicators for microphone or camera access may not be correctly displayed. Affects Accessibility |
|||||||
| x | x | ||||||
| CVE-2025-43218: Processing a maliciously crafted USD file may disclose memory contents. Affects Model I/O |
|||||||
| x | |||||||
| CVE-2025-43219: Processing a maliciously crafted image may corrupt process memory. Affects Model I/O |
|||||||
| x | |||||||
| CVE-2025-43220: An app may be able to access protected user data. Affects copyfile |
|||||||
| x | x | x | x | ||||
| CVE-2025-43221: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects Model I/O |
|||||||
| x | x | x | x | ||||
| CVE-2025-43222: An attacker may be able to cause unexpected app termination. Affects CFNetwork |
|||||||
| x | x | x | x | ||||
| CVE-2025-43223: A non-privileged user may be able to modify restricted network settings. Affects CFNetwork |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-43225: An app may be able to access sensitive user data. Affects Notes |
|||||||
| x | x | x | x | ||||
| CVE-2025-43227: Processing maliciously crafted web content may disclose sensitive user information. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43228: Visiting a malicious website may lead to address bar spoofing. Affects WebKit |
|||||||
| x | |||||||
| CVE-2025-43229: Processing maliciously crafted web content may lead to universal cross site scripting. Affects WebKit |
|||||||
| x | |||||||
| CVE-2025-43230: An app may be able to access user-sensitive data. Affects CoreMedia Playback |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43232: An app may be able to bypass certain Privacy preferences. Affects PackageKit |
|||||||
| x | x | x | |||||
| CVE-2025-43233: A malicious app acting as a HTTPS proxy could get access to sensitive user data. Affects Security |
|||||||
| x | x | x | |||||
| CVE-2025-43234: Processing a maliciously crafted texture may lead to unexpected app termination. Affects Metal |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43235: An app may be able to cause a denial-of-service. Affects Power Management |
|||||||
| x | |||||||
| CVE-2025-43236: An attacker may be able to cause unexpected app termination. Affects Power Management |
|||||||
| x | x | x | |||||
| CVE-2025-43237: An app may be able to cause unexpected system termination. Affects WebContentFilter |
|||||||
| x | |||||||
| CVE-2025-43238: An app may be able to cause unexpected system termination. Affects Xsan |
|||||||
| x | x | x | |||||
| CVE-2025-43239: Processing a maliciously crafted file may lead to unexpected app termination. Affects sips |
|||||||
| x | x | x | |||||
| CVE-2025-43240: A download's origin may be incorrectly associated. Affects WebKit |
|||||||
| x | |||||||
| CVE-2025-43241: An app may be able to read files outside of its sandbox. Affects SceneKit |
|||||||
| x | x | x | |||||
| CVE-2025-43243: An app may be able to modify protected parts of the file system. Affects Software Update |
|||||||
| x | x | x | |||||
| CVE-2025-43244: An app may be able to cause unexpected system termination. Affects AMD |
|||||||
| x | x | x | |||||
| CVE-2025-43245: An app may be able to access protected user data. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | |||||
| CVE-2025-43246: An app may be able to access sensitive user data. Affects Spotlight |
|||||||
| x | x | ||||||
| CVE-2025-43247: A malicious app with root privileges may be able to modify the contents of system files. Affects PackageKit |
|||||||
| x | x | x | |||||
| CVE-2025-43248: A malicious app may be able to gain root privileges. Affects AppleMobileFileIntegrity |
|||||||
| x | x | ||||||
| CVE-2025-43249: An app may be able to gain root privileges. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | |||||
| CVE-2025-43250: An app may be able to break out of its sandbox. Affects SharedFileList |
|||||||
| x | x | x | |||||
| CVE-2025-43251: A local attacker may gain access to Keychain items. Affects User Management |
|||||||
| x | |||||||
| CVE-2025-43252: A website may be able to access sensitive user data when resolving symlinks. Affects zip |
|||||||
| x | |||||||
| CVE-2025-43253: A malicious app may be able to launch arbitrary binaries on a trusted device. Affects AppleMobileFileIntegrity |
|||||||
| x | x | ||||||
| CVE-2025-43254: Processing a maliciously crafted file may lead to unexpected app termination. Affects file |
|||||||
| x | x | x | |||||
| CVE-2025-43255: An app may be able to cause unexpected system termination. Affects GPU Drivers |
|||||||
| x | x | x | |||||
| CVE-2025-43256: An app may be able to gain root privileges. Affects StorageKit |
|||||||
| x | x | ||||||
| CVE-2025-43257: An app may be able to break out of its sandbox. Affects Archive Utility |
|||||||
| x | |||||||
| CVE-2025-43259: An attacker with physical access to a locked device may be able to view sensitive user information. Affects WindowServer |
|||||||
| x | x | x | |||||
| CVE-2025-43260: An app may be able to hijack entitlements granted to other privileged apps. Affects PackageKit |
|||||||
| x | x | ||||||
| CVE-2025-43261: An app may be able to break out of its sandbox. Affects File Bookmark |
|||||||
| x | x | x | |||||
| CVE-2025-43265: Processing maliciously crafted web content may disclose internal states of the app. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43266: An app may be able to break out of its sandbox. Affects NSSpellChecker |
|||||||
| x | x | x | |||||
| CVE-2025-43267: An app may be able to access sensitive user data. Affects Directory Utility |
|||||||
| x | |||||||
| CVE-2025-43268: A malicious app may be able to gain root privileges. Affects Kernel |
|||||||
| x | |||||||
| CVE-2025-43270: An app may gain unauthorized access to Local Network. Affects Notes |
|||||||
| x | x | x | |||||
| CVE-2025-43273: A sandboxed process may be able to circumvent sandbox restrictions. Affects CoreMedia |
|||||||
| x | |||||||
| CVE-2025-43274: A sandboxed process may be able to circumvent sandbox restrictions. Affects RemoteViewServices |
|||||||
| x | |||||||
| CVE-2025-43275: An app may be able to break out of its sandbox. Affects NetAuth |
|||||||
| x | x | x | |||||
| CVE-2025-43276: iCloud Private Relay may not activate when more than one user is logged in at the same time. Affects Kernel |
|||||||
| x | |||||||
| CVE-2025-43277: Processing a maliciously crafted audio file may lead to memory corruption. Affects CoreAudio |
|||||||
| x | x | x | x | x | |||
| CVE-2025-6558: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-7424: Processing maliciously crafted web content may lead to memory corruption. Affects libxslt |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2025-7425: Processing a file may lead to memory corruption. Affects libxml2 |
|||||||
| x | x | x | x | x | |||
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Triage is Key! Python to the Rescue!
When you need to quickly analyze a lot of data, there is one critical step to perform: Triage. In forensic investigations, this step is critical because it allows investigators to quickly identify, prioritize, and isolate the most relevant or high value evidence from large volumes of data, ensuring that limited time and resources are focused on artifacts most likely to reveal key facts about an incident. Sometimes, a quick script will be enough to speed up this task.
Today, I'm working on a case where I have a directory containing +20.000 mixed files. Amongst them, a lot of ZIP archives (mainly Office documents), containing also lot of files. The idea is to scan all those files (including the ZIP archives) for some keywords. I wrote a quick Python script that will scan all files against the embedded YARA rule and, if a match is found, copy the original file into a destination directory.
Here is the script:
#
# Quick Python triage script
# Copy files matching a YARA rule to another directory
#
import yara
import os
import shutil
import zipfile
import io
# YARA rule
yara_rule = """
rule case_xxxxxx_search_1
{
strings:
$s1 = "string1" nocase wide ascii
$s2 = "string2" nocase wide ascii
$s3 = "string3" nocase wide ascii
$s4 = "string4" nocase wide ascii
$s5 = "string5" nocase wide ascii
condition:
any of ($s*)
}
"""
source_dir = "Triage"
dest_dir = "MatchedFiles"
os.makedirs(dest_dir, exist_ok=True)
rules = yara.compile(source=yara_rule)
def is_zip_file(filepath):
"""
Check ZIP archive magic bytes.
"""
try:
with open(filepath, "rb") as f:
sig = f.read(4)
return sig in (b"PK\x03\x04", b"PK\x05\x06", b"PK\x07\x08")
except Exception:
return False
def safe_extract_path(member_name):
"""
Returns a safe relative path inside the destination folder (Prevent .. in paths).
"""
return os.path.normpath(member_name).replace("..", "_")
def scan_file(filepath, file_bytes=None, inside_zip=False, zip_name=None, member_name=None):
"""
Scan a file with YARA.
"""
try:
if file_bytes is not None:
matches = rules.match(data=file_bytes)
else:
matches = rules.match(filepath)
if matches:
if inside_zip:
print("[MATCH] {member_name} (inside {zip_name})")
rel_path = os.path.relpath(zip_name, source_dir)
filepath = os.path.join(source_dir, rel_path)
dest_path = os.path.join(dest_dir, rel_path)
else:
print("[MATCH] {filepath}")
rel_path = os.path.relpath(filepath, source_dir)
dest_path = os.path.join(dest_dir, rel_path)
# Save a copy
os.makedirs(os.path.dirname(dest_path), exist_ok=True)
shutil.copy2(filepath, dest_path)
except Exception as e:
print(e)
pass
# Main
for root, dirs, files in os.walk(source_dir):
for name in files:
filepath = os.path.join(root, name)
if is_zip_file(filepath):
try:
with zipfile.ZipFile(filepath, 'r') as z:
for member in z.namelist():
if member.endswith("/"): # Skip directories
continue
try:
file_data = z.read(member)
scan_file(member, file_bytes=file_data, inside_zip=True, zip_name=filepath, member_name=member)
except Exception:
pass
except zipfile.BadZipFile:
pass
else:
scan_file(filepath)
Now, you can enjoy some coffee while the script does the job:
[MATCH] docProps/app.xml (inside Triage\xxxxxxx.xlsx) [MATCH] xl/sharedStrings.xml (inside Triage\xxxxx.xlsx) [MATCH] xl/sharedStrings.xml (inside Triage\xxxxxxxxxxxxxxxxxxxx.xlsx) [MATCH] ppt/slides/slide3.xml (inside Triage\xxxxxxxxxxxxxxxxxxxxxx.pptx) [MATCH] ppt/slides/slide12.xml (inside Triage\xxxxxxxxxxxxxxxxxxxxxx.pptx) [MATCH] ppt/slides/slide14.xml (inside Triage\xxxxxxxxxxxxxxxxxxxxxx.pptx) [MATCH] ppt/slides/slide15.xml (inside Triage\xxxxxxxxxxxxxxxxxxxxxx.pptx) [MATCH] xl/sharedStrings.xml (inside Triage\xxxxxxxx.xlsx) [MATCH] Triage\xxxxxxxxxxxxxxxxxxxxxxx.pdf [MATCH] Triage\xxxxxxxxxxxxxxxxxxx.xls [MATCH] xl/sharedStrings.xml (inside Triage\xxxxxxxxxxxxxxxx.xlsx) [MATCH] Triage\xxxxxxxxxxxxxxxxxxxxxxxxxx.xls
You can see that, with a few lines of Python, you can speedup the triage phase in your investigations. Note that the script is written to handle my current files set and is not ready for broader use (lile to handle password-protected archives or other types of archives)
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
ISC Stormcast For Tuesday, July 29th, 2025 https://isc.sans.edu/podcastdetail/9546
×
![modal content]()
Diary Archives
Comments