Apple rolls out iOS and macOS platform updates to fix serious security bugs that could be triggered simply by opening an image or video file.
Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website.
The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app.
The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened.
The iOS 18.5 update also provides cover for at least 9 documented WebKit flaws, some serious enough to lead to exploits that allow a hostile website to execute code or crash the Safari browser engine.
The company also patched a serious ‘mute-button’ flaw in FaceTime that exposes the audio conversation even after muting the microphone.
Beneath the interface, Apple said iOS 18.5 hardens the kernel against two memory-corruption issues and cleans up a libexpat flaw (CVE-2024-8176) that affects a broad range of software projects.
Other notable fixes include an issue in Baseband (CVE-2025-31214) that allows attackers in a privileged network position to intercept traffic on the new iPhone 16e line; a privilege escalation bug in mDNSResponder (CVE-2025-31222); an issue in Notes that expose data from a locked iPhone screen; and security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks
DragonForce group also says it has targeted Co-op and Harrods in cybercrime spree
Hackers who bragged about crippling Marks & Spencer’s systems and breaching Co-op Group databases appeared to have vowed to protect “the former Soviet Union” from the technology used in the attacks.
The DragonForce cybercrime group appeared to use a dark web forum to issue a threat to “punish any violations” by fellow hackers planning to use its ransomware in Russia or the former Soviet states – the first indication of any allegiance.
The group, which licenses its ransomware to other hacking gangs for a fee, claimed responsibility for an attack that has left shelves at some branches of M&S bare and has forced the company to suspend online orders.
A separate attack on the Co-op led to a data breach and customer details being stolen, and the group has also been linked to an attempt to hack systems at Harrods.
“Any attack by our software on critical infrastructure, hospitals where critical patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION by unscrupulous partners,” read a statement which claimed to be from the group, released at the end of last month.
“We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.”
It's time to update your Macs again! This time, I'm not burying the lede. CVE-2025-31250, which was patched in today's release of macOS Sequoia 15.5, allowed for…
…any Application A to make macOS show a permission consent prompt…
…appearing as if it were coming from any Application B…
…with the results of the user's consent response being applied to any Application C.
These did not have to be different applications. In fact, in most normal uses, they would all likely be the same application. Even a case where Applications B and C were the same but different than Application A would be relatively safe (if somewhat useless from Application A's perspective). However, prior to this vulnerability being patched, a lack of validation allowed for Application B (the app the prompt appears to be from) to be different than Application C (the actual application the user's consent response is applied to).
Spoofing these kinds of prompts is not exactly new. In fact, the HackTricks wiki has had a tutorial on how to perform a similar trick on their site for a while. However, their method requires:
the building of an entire fake app in a temporary directory,
the overriding of a shortcut on the Dock, and
the simple hoping that the user clicks on the (now) fake shortcut.
This vulnerability requires none of the above.
TCC
As I explained in my first ever article on this site, TCC is the core permissions system built into Apple's operating systems. It is used by sending messages to the tccd daemon (or rather, by using functions in the private TCC framework). The framework is a private API, so developers don't call the functions directly (instead, public API's call the functions under-the-hood as needed). However, all this wrapping cannot hide the fact that the control mechanism is still simply sending messages to the daemon.
The daemon uses Apple's public (but proprietary) XPC API for messaging (specifically the lower-level dictionary-based API). Prior to this vulnerability being patched, any app with the ability to send XPC messages to tccd could send it a specifically-crafted message that, as described above, would make it display a permission prompt as if it were from one app but then apply the user's response to a completely separate app. But how was this possible, and was it even hard? Before I answer these questions, we need to detour into what will, at first, seem like a completely unrelated topic.
U.K. retail giant Marks & Spencer has confirmed hackers stole its customers’ personal information during a cyberattack last month.
In a brief statement with London’s stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach. The BBC, which first reported the company’s filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information and online order histories.
The company also said it was resetting the online account passwords of its customers.
Marks & Spencer continues to experience disruption and outages across its stores, with some grocery shelves remaining empty after the hack affected the company’s operations. The company’s online ordering system for customers also remains offline.
It’s not clear how many individuals’ data was stolen during the hack. When reached by TechCrunch, Marks & Spencer spokesperson Alicia Sanctuary would not say how many individuals are affected and referred TechCrunch to its online statement. Marks & Spencer had 9.4 million online customers as of 30 March 2024, per its most recent annual report.
Dior’s coveted client list of China’s wealthiest and most powerful consumers has been compromised in a major data breach, forcing the French luxury giant to issue an apology as it scrambles to contain potential fallout and limit any damage to its reputation.
The luxury brand under French conglomerate LVMH experienced a customer data breach in China on May 7. According to a text message sent to customers yesterday, the company disclosed that an unauthorized external party had gained access to its database, obtaining sensitive personal information such as customers’ names, gender, phone numbers, email addresses, mailing addresses, purchase amounts, and shopping preferences.
Dior emphasized that the compromised data did not include bank account details, IBANs (International Bank Account Numbers), or credit card information. Nonetheless, the brand urged customers to exercise heightened caution, advising them to beware of phishing messages, unsolicited calls or emails, and to avoid clicking on suspicious links or disclosing personal information.
Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions.
In July 2024, the upstream Screen maintainer asked us if we could have a look at the current Screen code base. We treated this request with lower priority, since we already had a cursory look at Screen a few years earlier, without finding any problems. When we actually found time to look into it again, we were surprised to find a local root exploit in the Screen 5.0.0 major version update affecting distributions that ship it as setuid-root (Arch Linux and NetBSD). We also found a number of additional, less severe issues that partly also affect older Screen versions still found in the majority of distributions.
We offer two sets of patches for the issues described in this report, one for screen-4.9.1 and another for screen-5.0.0. These patch sets apply against the screen-4.9.1 and screen-5.0.0 release tarballs, respectively. Due to difficulties in the communication with upstream we do not currently have detailed information about bugfixes and releases published on their end.
The next section provides an overview of the Screen configurations and versions found on common Linux and UNIX distributions. Section 3) discusses each security issue we discovered in detail. Section 4) takes a look at possible further issues in Screen’s setuid-root implementation. Section 5) gives general recommendations for the improvement of Screen’s security posture. Section 6) points out problems we encountered during the coordinated disclosure process for these issues. Section 7) provides an affectedness matrix which gives a quick overview of the situation on various Linux and UNIX systems.
