On Tuesday, March 11, Apple released security updates for several of its operating systems: iOS, iPadOS, macOS, and visionOS. The updates address a single “exploited” (i.e. in-the-wild, or zero-day) vulnerability—the third that Apple has patched in 2025. According to Apple, hackers had used the flaw in “an extremely sophisticated attack” against iPhones around late 2023.
One day earlier, Google released an update for its Chrome browser for Mac, Windows, and Linux addressing the same vulnerability. Other Chromium-based browsers and apps have begun rolling out corresponding updates.
Here’s everything you need to know about these critical security fixes.
In this article:
Apple released the following updates on Tuesday to address the single security flaw:
Following are the details that Apple provided about this vulnerability on Tuesday:
WebKit
Impact: Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.)
Description: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions.
CVE-2025-24201: Apple
Google provided a few additional details in its release notes on Monday:
High CVE-2025-24201: Out of bounds write in GPU on Mac. Reported by Apple Security Engineering and Architecture (SEAR) on 2025-03-05 … Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild.
Description: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions.
Chromium issue number: 401059730
Notably, Apple points out that the flaw was exploited “before iOS 17.2.” Apple released that iOS update on December 11, 2023—well over a year ago.
It’s interesting to note that Apple’s OS releases from late January 2025 (iOS 18.3, macOS Sequoia 15.3, etc.) also addressed a security vulnerability (CVE-2025-24085) that “may have been actively exploited against versions of iOS before iOS 17.2.” Apple technically did not credit any particular researcher for that flaw, but also did not state that the vulnerability was reported anonymously; thus it appears that Apple discovered and patched both of these flaws more than a year after they were first exploited.
Perhaps an internal team at Apple has been spending time reverse engineering past nation-state level attack chains, in an effort to further harden its operating systems against similar attacks.
Apple released one other operating system update on Tuesday: tvOS 18.3.1. The update only applies to one specific model of Apple TV, as detailed below.
According to the Apple security releases page, tvOS 18.3.1 “has no published CVE entries.” This indicates that the WebKit vulnerability was not patched in this update, for whatever reason.
On Apple’s About Apple TV 4K and Apple TV HD software updates page, the company explains what the update includes:
This update addresses an issue that may prevent playback of some streaming content on Apple TV 4K (3rd generation).
Normally, Apple updates HomePod Software (sometimes called audioOS) along with tvOS, but that wasn’t the case this week.
Apple has not released any watchOS updates this week, either. Although WebKit is an underlying technology in all of Apple’s operating systems, it’s unclear whether CVE-2025-24201 may be exploitable on watchOS or tvOS.
Notably, Apple chose not to patch CVE-2025-24201 for iPadOS 17 this week—even though the flaw clearly affects that OS. Until now, Apple has been releasing partial security patches for the previous iPad operating system, specifically for devices that are incompatible with iPadOS 18.
If you haven’t yet upgraded to macOS Sequoia, be sure to first update your critical software. For example, run Intego’s NetUpdate utility and install all available updates, and then check for updates for all other software that you use regularly. Next, check for macOS updates by going to System Settings > General > Software Update.
If you have any trouble getting the macOS update to show up, either press ⌘R at the Software Update screen, or type in the Terminal softwareupdate -l (that’s a lowercase L) and press Return/Enter, then check System Settings > General > Software Update again.
Note that Apple only ever fully patches the latest macOS version (currently, that’s macOS Sequoia); older macOS versions only get a subset of those patches and remain vulnerable. Therefore, staying on the latest macOS version is critically important for maintaining your security and privacy. For more information, see our article, “When does an old Mac become unsafe to use?”
Users of iPhone or iPad can open the Settings app and choose General > Software Update to update iOS or iPadOS on their devices. (This is an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there; or, if you use a Windows PC, you can use the Apple Devices app.
Similarly, users of Apple Vision Pro can open the Settings app and choose General > Software Update to update visionOS.
To update tvOS on your Apple TV, open the Settings app and choose System > Software Updates.
Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our related article on how to check your macOS backups to ensure they work correctly.
See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.
Should you back up your iPhone to iCloud or your Mac? Here’s how to do both
Monday’s Google Chrome browser update to version 134.0.6998.88/.89 contains four other patches besides the one Apple reported.
Whenever Chrome gets a security update, other browsers based on the Chromium open-source Web browser project generally require an update, too. Notable browsers built upon the Chromium codebase include Microsoft Edge, Arc, Brave, Vivaldi, Opera, and Opera GX.
Vivaldi got an update on Monday, and Brave got an update on Tuesday, to patch CVE-2025-24201; Brave’s update also patches the other four flaws. So far, as of when this blog post is being published, Arc, Microsoft Edge, and Opera’s various browsers haven’t been patched yet.
Mac users can update their Chrome, Brave, Edge, or Opera browsers by clicking on the application menu (e.g. “Chrome” or “Microsoft Edge,” next to the Apple logo menu), and then clicking the first item in that menu (e.g. “About Google Chrome” or “About Microsoft Edge”). The browser will check for updates; if an update is available, it will prompt you to restart the app to complete the update.
Arc and Vivaldi for macOS have a slightly different update procedure. After clicking on the Arc or Vivaldi menu (next to the Apple menu), click on “Check for Updates…” to ensure you have the latest version installed.
Windows users can update their browsers by following the steps provided by each browser maker: Chrome, Arc, Brave, Edge, Opera, Vivaldi.
Android users should check the Google Play Store app for the latest versions of their browsers and other apps.
Mobile browsers on iOS and iPadOS use Safari’s WebKit engine, rather than Chromium’s Blink and V8 engines. Therefore, this particular vulnerability does not affect the iOS or iPadOS versions of any Web browsers. If you would like to update your iPhone and iPad browsers anyway, you can do so via the App Store. (Here’s how to manually check for and install updates.)
Starting with iOS 17.4, browser makers may opt into using their own rendering engines. However, this is only available in the EU, for compliance with the Digital Markets Act. No major third-party browser has chosen to bring its own engine to iOS yet.
As we’ve noted in the past, many non-browser apps, including Electron apps, also rely on the Chromium browser codebase for rendering HTML content. These include the desktop versions of apps like 1Password, Discord, Dropbox, Figma, GitHub, Microsoft Teams, Signal, Skype, Slack, Trello, Twitch, WhatsApp, WordPress, and Zoom.
Notably, the Electron framework does not get updated in tandem with Chromium, so some Electron-based apps may remain vulnerable for months. For this and other reasons, it’s important to keep all your other apps updated as well.
To update Mac App Store apps, open the App Store, then click Updates, and click on Update All. Other apps usually have their own separate in-app or external update mechanisms. In some cases, you may need to update an app manually by downloading a new version from the developer’s site.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
