Apple has released iOS 18.3.2, an operating system update that fixes a vulnerability in WebKit, the browser engine used by Safari to render web pages. The flaw allowed malicious code running inside the Web Content sandbox, an isolated environment for web processes designed to limit security risks, to impact other parts of the device.
Apple previously fixed this vulnerability, CVE-2025-24201, with the release of iOS 17.2 back in late 2023, but this release adds a supplemental patch. In the release notes for iOS 18.3.2, Apple stated that the issue has been “addressed with improved checks to prevent unauthorized actions.” That same patch has also been applied in iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.
“Vulnerabilities in WebKit should be patched quickly, as it is the framework that powers Safari and renders other web-based content,” Adam Boynton, Senior Security Strategy Manager at Apple security firm Jamf, told TechRepublic in an email.
“In this particular flaw, attackers were able to use maliciously crafted web content to escape the iOS Web Content sandbox. Breaking out of a sandbox allows an attacker to access data in other parts of the operating system.”
A mysterious delay: Why did Apple take so long?
It is not clear why the initial fix was not sufficient or why Apple has only now released the update this week, but the company does refer to “an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2” which may have occurred recently. This suggests that state-sponsored hackers have been exploiting the vulnerability to surveil high-profile individuals, such as government officials, journalists, or senior business executives.
SEE: Why is Apple Taking Legal Action Against UK’s Government?
The fact that this update comes just a month after iOS 18.3.1 and addresses only one security issue does indicate urgency. Cupertino typically withholds detailed information about vulnerabilities in the early stages to give users time to update their devices. This strategy helps prevent attackers from exploiting the flaw before the majority of users have secured their systems with the latest update.
Curiously, iOS 18.3.1 landed just one day after Google released an update for its Chrome browser on Mac, Windows, and Linux devices which also patches CVE-2025-24201. Like Apple, Google described it as an out-of-bounds write issue for the Mac GPU and noted that it had a high impact and is aware that an exploit for it exists in the wild. It was reported to Google by Apple Security Engineering and Architecture on March 5, so it seems Apple has been working on its own patch for a number of weeks.
Why you should update your Apple devices now
On top of patching CVE-2025-24201, the Apple update “addresses an issue that may prevent playback of some streaming content.” Some social media users have also reported that the update loads with Apple Intelligence, Apple’s bespoke artificial intelligence system, automatically enabled, even if the user had previously switched it off. This is frustrating some users who don’t wish for their data to be analysed by the model, but they are able to switch it off again.
Despite this, it’s recommended that Apple users update their devices as soon as possible, especially those running an older operating system than iOS 17.2, to prevent bad actors attempting to exploit the now-publicised vulnerability. It is available for iPhone XS and all newer iPhones, as well as iPad Pro (11-inch, 3rd gen and later, and 12.9-inch,1st gen and later), iPad Air (3rd gen and later), iPad (7th gen and later), and iPad mini (5th gen and later).
You should be prompted about the update automatically, but if not, you can initiate the download manually by going to Settings, General, and then Software Update.
