Apple Security Updates, May 2025; Update Cisco IOS XE to Fix CVSS 10.0 Flaw; Google to Pay $1.375 Settlement in Texas Privacy Suits

Apple's May 12, 2025 security updates include patches for 65 vulnerabilities. Among the notable flaws is a known exploited vulnerability in the CoreAudio framework, patched already for the most current operating systems on April 18, 2025, now patched for older systems. AppleJPEG and CoreMedia have improved input sanitization against attacks involving maliciously crafted files that could lead to app termination or corrupt process memory. CoreAudio, CoreGraphics, and ImageIO have had file-parsing flaws fixed. WebKit received patches for nine flaws that could lead to memory corruption, data exfiltration by a malicious website, process crashes, and Safari crashes. FaceTime received improved state management to fix an issue in which "Muting the microphone during a FaceTime call may not result in audio being silenced." The iOS 18.5 and iPadOS 18.5 kernel has been protected against unexpected system termination and corrupt kernel memory by improving memory handling, and against unexpected app termination by improving memory management. Multiple issues possibly leading to unexpected app termination or arbitrary code execution have also been fixed in in libexpat, an open-source XML parser. The Baseband device for iPhone 16e has received improved state management to prevent an attacker in a privileged network position from intercepting network traffic. mDNSResponder has improved checks to prevent privilege escalation. Notes has improved authentication to prevent an attacker with physical access to a device being able to access notes from the lock screen, and improved checks to prevent an attacker with physical access to a device from being able to access a deleted call recording. In addition to iOS 18.5 and iPadOS 18.5, Apple is releasing major updates for macOS Sequoia, macOS Sonoma, macOS Ventura, WatchOS, tvOS and visionOS.

Cisco has published a security advisory addressing a maximum-severity vulnerability in its Internetworking Operating System built on Linux, IOS XE, for wireless LAN controllers (WLCs). CVE-2025-20188, CVSS score 10.0, would allow a remote unauthenticated attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges by sending crafted HTTPS requests to the Out-of-Band Access Point (AP) image download interface, due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. The Out-of-Band AP Image Download feature is not enabled by default, but must be enabled for exploitation of this flaw to be possible. The flaw affects Catalyst 9800-CL Wireless Controllers for Cloud, the Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and the Embedded Wireless Controller on Catalyst APs, when running Cisco IOS XE with the Out-of-Band AP Image Download Feature enabled. Cisco urges system administrators to update Cisco IOS XE to the latest version, and strongly recommends mitigating risk by immediately disabling the Out-of-Band AP Image Download feature. Cisco's advisory provides commands for determining if the feature is enabled, and lists devices and software known not to be vulnerable.

Google will pay US $1.375B, its largest settlement to date over US state privacy, to resolve two lawsuits and three claims brought by Texas Attorney General Ken Paxton, who alleges that the company violated state laws by collecting and using data without consent. One suit asserts that Google violated the Capture or Use of Biometric Identifier Act (CUBI), which "prohibits a person from capturing an individual's biometric identifiers (retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for a commercial purpose unless that person informs the individual and obtains the individual's consent prior to the capture," and "restricts the sale, lease, or disclosure of biometric identifiers and requires that a captured biometric identifier be destroyed within a reasonable timeframe." Google allegedly unlawfully collected and used voiceprints, facial geometry, and other biometric identifiers via Google Photos, Google Assistant, and Nest Hub Max. The second suit claims that Google violated the state's Deceptive Trade Practices Act by continuing to track users' locations and to use the data to serve targeted ads even after users disabled Location History and used Incognito Mode. Paxton's press release states "In Texas, Big Tech is not above the law"; Google has stated that the settlement does not constitute admission of wrongdoing, and that procedure changes have already been made to resolve the issues.

Starting in June, Microsoft will roll out a OneDrive feature called 'Prompt to Add Personal Account to OneDrive Sync.' In discussions on social media platforms, IT and security professionals have expressed concern that the feature poses privacy and security concerns. Not only would it potentially expose personal information to the work environment, but sensitive work data could accidentally be saved to users' personal computers. According to Microsoft, the "feature enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their personal OneDrive files. If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default. Admins can suppress or disable it using the DisableNewAccountDetection or DisablePersonalSync policies." The feature was initially scheduled to begin rolling out over the weekend, but the target date has been pushed back until next month.

Starting in July, Microsoft will roll out a feature to teams that will prevent teams meeting participants from taking screenshots of sensitive information. In the Microsoft 365 Roadmap, Microsoft writes: "the Prevent Screen Capture feature ensures that if a user attempts to take a screen capture, the meeting window will turn black, thereby protecting sensitive information. This feature will be available on Teams desktop applications (both Windows and Mac) and Teams mobile applications (both iOS and Android). For users joining from unsupported platforms, they will be placed in audio-only mode to maintain the integrity of the meeting's content." The feature will be available on Teams desktop for Windows and macOS as well as on iOS and Android mobile apps. Microsoft has not said if the feature will be enabled by default.

Florida's proposed legislative amendment SB 868 / HB 743, "Social Media Use by Minors," which notably included a requirement for social media platforms "to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," has been "indefinitely postponed and withdrawn from consideration" by the Florida House of Representatives. The Electronic Frontier Foundation calls this "a win for privacy and encryption," having urged senators to reject the bill, stating in concert with other advocates that by weakening privacy these changes further endanger those the bill aims to protect.

ClickFix attacks have been detected against Windows and Linux targets and against iClicker, a digital classroom tool. Researchers from Hunt.io identified an attack against India's Ministry of Defence that used a phony website and a link that purports to be a press release. Once site visitors click on the link, they are "directed to one of two PHP pages depending on their operating system." In another attack, the iClicker website was found to have been compromised with a malicious CAPTCHA prompt that installs malware on users' devices. According to the University of Michigan's IT Services Safe Computing site, the phony CAPTCHA was on the iClicker landing page between April 12 and 16, 2025.

Law enforcement authorities in the US and the Netherlands have seized infrastructure supporting two websites that sold proxy tools used by cybercriminals to hide their identities and locations. The botnet responsible for the criminal operation comprised thousands of compromised wireless internet routers and other Internet of Things (IoT) devices. An unsealed indictment from the US Department of Justice (DoJ) charges four individuals Ð three from Russia and one from Kazakhstan Ð with conspiracy and damage to protected computers. According to DoJ, the law enforcement effort, dubbed Operation Moonlander, involved "multiple jurisdictions, including the Eastern District of Virginia, the Dutch National Police - Amsterdam Region, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police. Black Lotus Labs of Lumen Technologies, Inc., provided significant assistance and worked closely with investigators."

UK-based education company Pearson says they have experienced a cyberattack in which 'legacy data' were stolen. Pearson told BleepingComputer, "an unauthorized actor gained access to a portion of our systems." Pearson provides both print and online educational services, including textbooks and standardized testing. Pearson's statement follows BleepingComputer learning from sources "that threat actors compromised Pearson's developer environment in January 2025 through an exposed GitLab Personal Access Token (PAT) found in a public .git/config file." In January 2025, Pearson disclosed a cybersecurity incident involving one of its subsidiaries.

ASUS has released fixes to address a pair of vulnerabilities in DriverHub that could be chained to achieve remote code execution. DriverHub is driver software that comes pre-installed on ASUS motherboards. The issue lies in insufficient validation of commands (origin validation and certificate validation) "that may allow unauthorized sources to interact with the software's features via crafted HTTP requests." Users are urged to update ASUS DriverHub installations to the most recent version.