Article illustration 1

In a coordinated response to active threats, Apple has rolled out critical security updates across its ecosystem to address a high-risk vulnerability (CVE-2025-6558) exploited in zero-day attacks targeting Google Chrome users. The flaw resides in ANGLE (Almost Native Graphics Layer Engine), an open-source component that translates OpenGL ES commands to platform-specific GPU APIs like Metal and Vulkan.

The Anatomy of a Sandbox Escape

Discovered by Google's elite Threat Analysis Group (TAG) in June, the vulnerability stems from improper validation of untrusted input during GPU command processing. Attackers craft malicious HTML pages that trigger the flaw, enabling arbitrary code execution within the browser's GPU process. Crucially, this breach could allow escape from Chrome’s stringent sandbox—a security barrier isolating browser processes from the host operating system.

"Processing maliciously crafted web content may lead to an unexpected Safari crash. This is a vulnerability in open source code and Apple Software is among the affected projects," Apple stated in its advisory.

State-Sponsored Threat Landscape

While Google hasn't disclosed attack specifics, TAG specializes in countering government-backed operations. Historically, such actors exploit zero-days to implant spyware on devices of high-risk targets: journalists, dissidents, and political activists. The July 15 Chrome patch marked this as "actively exploited," signaling real-world weaponization before fixes were available.

Patch Deployment Across Apple’s Ecosystem

Apple’s emergency updates cover:
- iOS/iPadOS 18.6 (iPhone XS+, modern iPads)
- macOS Sequoia 15.6
- Legacy iPadOS 17.7.9 (older iPad Pro models)
- tvOS 18.6
- visionOS 2.6
- watchOS 11.6 (Apple Watch Series 6+)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added CVE-2025-6558 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by August 12.

A Pattern of Persistent Threats

This marks Apple’s sixth zero-day patch in 2025, following five others patched between January and April. The frequency underscores escalating attacks against foundational browser components. ANGLE’s cross-platform nature—used in Chrome, Edge, and WebKit—makes it a high-value target for supply-chain threats.

Security teams should prioritize immediate updates: the flaw’s sandbox-escape capability and CISA’s advisory signal exceptional risk. As browser graphics layers grow more complex, expect offensive research to increasingly focus on these opaque, high-privilege components.

Source: BleepingComputer