iOS 18.6 and macOS Sequoia 15.6 Address Chrome Zero-Day Attack

[MacRumors]

The iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6 updates that Apple released yesterday address a major zero-day attack that targeted Chrome users, according to Bleeping Computer.

Apple says that CVE-2025-6558 was a vulnerability in open source code that also affected Apple software. The flaw could allow remote attackers to execute arbitrary code using HTML pages created for that purpose, escaping Chrome's sandboxing. Google patched the issue on July 15, and said that it had been actively exploited.

In Safari, Apple said that the issue could cause unexpected crashing, but it wasn't known to have been used in attacks against Safari users.

Google hasn't offered up technical details on how the exploit worked, and the company said that additional information would be restricted until the majority of users have updated their devices. Chrome users who have not installed the latest version of Chrome should do so.

Article Link: iOS 18.6 and macOS Sequoia 15.6 Address Chrome Zero-Day Attack

 

[adamw]

Glad that Apple fixed that vulnerability exploit! Sure sounds like it was already being exploited using Google Chrome accessing malicious HTML pages.

 

[DBZmusicboy01]

How is that even possible unless the person downloads a file or allows third party apps? 😬

 

[JosephAW]

Good reason not to trust Google ever

 

[adamw]

How is that even possible unless the person downloads a file or allows third party apps? 😬

Sounds like if a Google Chrome (or Safari) user went to view any web page with the malicious code embedded, it could take over their whole system by "allowing remote users to execute arbitrary code" on their machine. Appears to affect anyone using the web browser to view an infected web site, and not only to affect downloads of files or third party apps.

 

[adamw]

Good reason not to trust Google ever

This not only applies to Google Chrome, but also appears to affect Safari (by causing a crash to it.) Here is more about this exploit:

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Tracked as CVE-2025-6558, the security bug is due to the incorrect validation of untrusted input in the ANGLE (Almost Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU commands and translates OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.

The vulnerability enables remote attackers to execute arbitrary code within the browser's GPU process via specially crafted HTML pages, potentially allowing them to escape the sandbox that isolates browser processes from the underlying operating system.

 

[ArtOfWarfare]

Good reason not to trust Google ever

This impacts all Chromium browsers, so Brave, Edge, Opera, and most other browsers not named Firefox or Safari.

The same issue causes Safari to crash, which while inconvenient, is preferable to having malicious code able to access data that it shouldn't.

What happens in Firefox?

 

[Astuces iOS]

I don’t understand people who use Google Chrome, Safari is sooo good !! With glass ui coming !

 

[Digital Dude]

Google hasn’t cornered the market on security vulnerabilities. 🫩

 

[wellander1]

Does this affect text based browsers like lynx?

 

[It’s always something]

The iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6 updates that Apple released yesterday address a major zero-day attack that targeted Chrome users, according to Bleeping Computer.

Apple says that CVE-2025-6558 was a vulnerability in open source code that also affected Apple software. The flaw could allow remote attackers to execute arbitrary code using HTML pages created for that purpose, escaping Chrome's sandboxing. Google patched the issue on July 15, and said that it had been actively exploited.

In Safari, Apple said that the issue could cause unexpected crashing, but it wasn't known to have been used in attacks against Safari users.

Google hasn't offered up technical details on how the exploit worked, and the company said that additional information would be restricted until the majority of users have updated their devices. Chrome users who have not installed the latest version of Chrome should do so.

Article Link: iOS 18.6 and macOS Sequoia 15.6 Address Chrome Zero-Day Attack

Why would a fix for this be included in iOS/iPadOS? Chrome on iPhone and iPad uses WebKit, not Chromium.

 

[Love-hate 🍏 relationship]

Good reason not to trust Google ever

You know how often this has happened to safari? I'll tell you: a damn lot

And when this happens, you need a WHOLE OS update to fix it , while chrome only needs an app update most of the time (not this time around though)

 

[kitKAC]

You know how often this has happened to safari? I'll tell you: a damn lot

And when this happens, you need a WHOLE OS update to fix it , while chrome only needs an app update most of the time (not this time around though)

Well, that's not true as Safari is a separate download on Ventura and Sonoma (and every other supported macOS that's not the current one). Having to install a whole point update on the most recent macOS is a choice Apple makes.

 

[Love-hate 🍏 relationship]

Well, that's not true as Safari is a separate download on Ventura and Sonoma (and every other supported macOS that's not the current one). Having to install a whole point update on the most recent macOS is a choice Apple makes.

not on ios/ipadOS. and yes, the current version still needs a full update

 

[Jumpthesnark]

while chrome only needs an app update most of the time (not this time around though)

Yeah it actually does this time around.

 

[matsan]

Why would a fix for this be included in iOS/iPadOS? Chrome on iPhone and iPad uses WebKit, not Chromium.

Guessing - if a webpage can escape the browser sandbox and feed arbitrary commands to the graphics layer (Metal) causing a security issue it's Apple's problem. That's why they patch iOS and ipadOS.
We should thus be happy the issue was found in Chrome.

 

[matsan]

Yeah it actually does this time around.

If the exploit makes Safari crash as Apple says, it's just a blink away from being dangerous. Guessing the hackers go by market-share when developing their exploits.

 

[svish]

Very happy to see that it has been fixed quickly. Hopefully such issues do not happen in the future.

 

[star-affinity]

Good reason not to trust Google ever

Well, that's not true as Safari is a separate download on Ventura and Sonoma (and every other supported macOS that's not the current one). Having to install a whole point update on the most recent macOS is a choice Apple makes.

But what is true is that security problems are continuously discovered in software from all vendors and it’s definitely not the last time it happens in code written by folks from Google nor Apple.

 

[culex]

Apple released yesterday address a major zero-day attack that targeted Chrome users

How can Apple fix a Chrome bug? That's right, they can't. They simply used the same buggy open source code in Webkit and patched it two weeks after Google. Pretty misleading headline.

 

[MilaM]

If this is as serious as it sounds, I would like to know if previous versions of Safari and macOS will always be patched.

Also, would be interesting to know if other browser engines are also affected. I'm using Firefox on my Macs.

 

[Danilamak]

So many questions, from the article feels like Google is bad guy but why in the world any app on non jailbroken device installed from Apple App Store can execute arbitrary code?

Remember they said it’s not secure to install app from any other source? It’s fully Apple controlled environment, it’s even Apple WebKit engine

W T F ? What’s point of all this security measures?!

 

[JonaM]

So many questions, from the article feels like Google is bad guy but why in the world any app on non jailbroken device installed from Apple App Store can execute arbitrary code?

Remember they said it’s not secure to install app from any other source? It’s fully Apple controlled environment, it’s even Apple WebKit engine

W T F ? What’s point of all this security measures?!

The Chrome patches were for the Chrome browser on the Mac/PCs. It's not clear from the articles that the Chrome app on iOS devices was vulnerable to escaping the sandbox or whether it just triggered the Safari crash at the Webkit level

 

[Big_D]

How is that even possible unless the person downloads a file or allows third party apps? 😬

The user just needs to visit a normal website which contains a specially prepared .html file - either a phishing or general malware site or a normal site that has been hacked and the relevant code inserted into it. The HTML/JavaScript on the page, which uses the ANGLE interface, uses malformed data causing something like a buffer overflow and allowing them to write executable code into the memory space, which can then be executed.

In this case, it seems to be using malformed data to attack the GPU through Angle's OpenGL to Metal translation layer routines (on iOS).

In Chrome, it sounds like the the malformed data could be used to execute code, allowing for things like data exfiltration or the installation of persistent malware on the host.

On iOS, it sounds like it was limited to just crashing the browser (denial of service), but hadn't yet been expanded to exploit the vulnerability to actually be able to execute code.

 

[Big_D]

Why would a fix for this be included in iOS/iPadOS? Chrome on iPhone and iPad uses WebKit, not Chromium.

Because Webkit uses the same open source code for the ANGLE graphics translation.