back to article Apple plugs security hole in its iThings that's already been exploited in iOS

Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug. The vulnerability, tracked as CVE-2025-24085, is a use-after-free() flaw in the CoreMedia component common across iOS, macOS, and so …

  1. Groo The Wanderer - A Canuck

    No operating system is immune to bugs and security holes; none. Even coding an entire operating system in something like Rust would not prevent errors in design or implementation that would allow miscreants into a system.

    But some are better than others. Community efforts and community testing by millions of deployed devices mean that the core *nix distributions have had a much more thorough vetting of their code than any one company could possibly do alone.

    1. Charlie Clark Silver badge
      Stop

      the reference to core *nix distributions is simply erroneous here. Multimedia systems are much more susceptible because they invariably interact, at some point, directly with hardware.

      If you're talking about the many eyes make shallow bugs ideas, this is a fallacy. While I'm a big fan of open source, making the source open does not avoid bugs, where open source does come into its own once a bug has been identified.

      Apple's developers have made a common mistake that probably could and should have been caught by code review, testing and static analysis. But Apple steadfastly continues to refuse to improve its release and update procedures, so that, instead of frequently releasing minor patches, it prefers to release monolithic sets updates and new features once a quarter, which often and unsursprisingly introduce new bugs because of their scope scale. But they can point to millions of satisfied customers – I've got a Mac myself but no I-Thingy and I prefer not to live on the bleeding edge, usually keeping at least one major version behind – no matter what we say.

      1. Charlie Clark Silver badge
        Unhappy

        Nice to know Apple continues to break stuff: my external webcam is no longer working on my MBP 2020, though it works fine on my MBP 2016.

    2. Anonymous Coward
      Anonymous Coward

      > Community efforts and community testing by millions of deployed devices mean that the core *nix distributions have had a much more thorough vetting of their code than any one company could possibly do alone.

      Core *nix may well be deployed to millions of devices but that just implies functionality testing and hardware compatibility testing, not security testing.

      Security testing will be limited to a much smaller number who have the skills and time to examine the source code - mostly maintainers and contributors.

    3. IvyKing Bronze badge

      In my opinion, the bug finding virtue of open comes more from the experience of porting software to different platforms then from the multitude of eyes looking at the source. One example was the bug in yacc that was found after 3-+ years when the OpenBSD group was porting to a new spin of the SPARC processor.

    4. gnasher729 Silver badge

      Apple has more deployed devices than any *nix or Li*** distribution.

  2. Phil O'Sophical Silver badge

    Use-after-free is one of those programming errors that will be caught by most static analysis tools. There's really little excuse for not scanning all code with them, especially for a large business that can easily afford any software licensing costs.

    1. heyrick Silver badge

      Yup. Every so often I throw my code at cppcheck to report on what it finds. Once in a while it notices that I've done something dumb so I fix it.

      I'm a nobody writing stuff used by maybe a dozen people if I'm lucky (what I write is primarily for myself). So what's Apple's excuse?

    2. gnasher729 Silver badge

      Use after free when it is a genuine programming error usually leads to a crash. So when you find it you fix a programming error which is nice. In an attack the situation where it happens would be well hidden so the problem isnt found.

      All the problems where you say “oh, this would have been easy to prevent, just by doing X”, have already been prevented. You are now looking for cleverly hidden ones.

    3. John Miles

      Most developers I've encountered don't read the compiler warnings, let alone running any static analysis

      1. gnasher729 Silver badge

        Oh shit. My rule was “no compiler warnings allowed, everything compiled with warnings = errors”. Then I good colleague and I started enabling warnings. First build had over 4,000 warnings which were reduced very, very quickly.

  3. SparkE

    Curious how this Zero day is fixed by the very iOS update that a lot of Apple users are avoiding because of the opt-out Apple intelligence roll out…

    1. excperr

      upto 21G of AI goodness / utter rubbish switched on by default in 18.3

      Switch it off.

    2. Joe Gurman

      Please

      Name two. Or better, “a lot.” Turning off unwanted A”I” “features” on iOS is a matter of three taps: Settings, Apple Intelligence & Siri, and toggling the Apple Intelligence setting to “off.” For what it’s worth, this Apple user didn’t have to worry about it because my phone is pre-iPhone 15. If there really are “a lot” of iPhone owners who want to be protected from A”I” intrusiveness, this old thing might command a good price.

    3. Anonymous Coward
      Anonymous Coward

      > Curious how...

      What's really curious is how coincidences appear to be curious.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like