iOS 18.6 and macOS Sequoia 15.6 Address Chrome Zero-Day Attack

Good reason not to trust Google ever :rolleyes:

This not only applies to Google Chrome, but also appears to affect Safari (by causing a crash to it.) Here is more about this exploit:

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Tracked as CVE-2025-6558 ('https://nvd.nist.gov/vuln/detail/CVE-2025-6558'), the security bug is due to the incorrect validation of untrusted input in the ANGLE (Almost Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU commands and translates OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.

The vulnerability enables remote attackers to execute arbitrary code within the browser's GPU process via specially crafted HTML pages, potentially allowing them to escape the sandbox that isolates browser processes from the underlying operating system.

Good reason not to trust Google ever :rolleyes:

This impacts all Chromium browsers, so Brave, Edge, Opera, and most other browsers not named Firefox or Safari.

The same issue causes Safari to crash, which while inconvenient, is preferable to having malicious code able to access data that it shouldn't.

What happens in Firefox?

Good reason not to trust Google ever :rolleyes:

You know how often this has happened to safari? I'll tell you: a damn lot

And when this happens, you need a WHOLE OS update to fix it , while chrome only needs an app update most of the time (not this time around though)

Good reason not to trust Google ever :rolleyes:

Well, that's not true as Safari is a separate download on Ventura and Sonoma (and every other supported macOS that's not the current one). Having to install a whole point update on the most recent macOS is a choice Apple makes.

But what is true is that security problems are continuously discovered in software from all vendors and it’s definitely not the last time it happens in code written by folks from Google nor Apple.

How is that even possible unless the person downloads a file or allows third party apps? 😬

Sounds like if a Google Chrome (or Safari) user went to view any web page with the malicious code embedded, it could take over their whole system by "allowing remote users to execute arbitrary code" on their machine. Appears to affect anyone using the web browser to view an infected web site, and not only to affect downloads of files or third party apps.

Apple released yesterday address a major zero-day attack that targeted Chrome users

How can Apple fix a Chrome bug? That's right, they can't. They simply used the same buggy open source code in Webkit and patched it two weeks after Google. Pretty misleading headline.