Security Friday: iOS 18.5 is here with tons of security fixes

Hi Readers, Cullen here. I always look forward to Apple's free software updates, and it's not just because I'm a little weirdo obsessively researching security news and writing "keep your software up to date" on the walls over and over again.

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   May 16, 2025 Editor's Note Hi Readers, Cullen here. I always look forward to Apple's free software updates, and it's not just because I'm a little weirdo obsessively researching security news and writing "keep your software up to date" on the walls over and over again. It's fun to have new stuff added to my devices for free, even if it's sometimes frustrating when new is not the same as better. This week, Apple released iOS 18.5 as well as the x.5 updates for its other devices—Apple TV, Mac, Apple Watch, and all the rest. The good news is you don't have to worry about Apple rearranging much. Scroll down to find out what's new! Do you look forward to Apple software updates? Why or why not? Let us know by emailing security@iphonelife.com or replying to this email. Cheers! Cullen Thomas, Senior Instructor at iPhone Life IN THIS NEWSLETTER Your Security Checklist Test Your Security Skills Your Weekly Security Update This Should Be on Your Radar Security Fail of the Week Security Updates from Apple   Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: Avoid falling for text message scams. Scammers will often send texts warning you about missing USPS packages, unpaid tolls, or fraudulent charges. Lock your Apple Account with a physical key. If you are able to, you should use a security key to lock your account, which will prevent others from accessing your data. Add a Recovery Contact to your Apple Account. Apple can use a Recovery Contact to verify your identity and help you regain access to your account in the event you get locked out. In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.   Test Your Security Skills What should you do in the following scenario? Examine the following text message. Which detail or details can help you determine if the text is legitimate? The message was sent by an email address associated with neither Apple nor your bank. The message tries to convey a sense of urgency e.g., "Failing may lead to auto debit," and "Your Photos, Data, Bank information, and Cards are at risk." The link at the bottom is not blue or clickable. The text gives a contact phone number that is not associated with Apple (We don't want anyone misinterpreting our email and accidentally calling a scam number, so we've blocked out some of the numbers in the text). The text is garbled and includes capitalization and punctuation errors. All of the above. All of the above except one. Scroll to the bottom to see how you did! In partnership with Incogni Stop Spam at the Source The reason you get so many spam calls, emails, and texts is that your name is being bought and sold by data brokers every single day. Incogni gets you off these lists, reclaiming your privacy and stopping spam right at the source. Sign up today and get 55% off.     iOS 18.5 Release Has Tons of Security Content, Few New Features Apple's iOS 18.5 update comes with a ton of security content. Wide-ranging vulnerabilities across iCloud document sharing, Notes, WebKit, CoreMedia, and loads more have all been patched, including bugs that would let an attacker share an iCloud folder without permission; loads of image and web-page processing bugs that could help an attacker compromise an iPhone that is just visiting the web; and a way for a maliciously crafted email to lead to an attacker being able to enter user inputs. Apple doesn't release much information about these bugs in its update documentation, but sometimes the researchers who helped Apple find the bug release their own explanations. I hope they do, because some of the iOS 18.5 bugs sound pretty bad in Apple's terse descriptions, and I'd love to hear what's actually going on and how the bug really works. In the meantime, it's enough to know to update your devices to get the fixes. While the x.5 updates usually come with a suite of new features to help convince people to update, this time Apple only sweetened the deal with a few pretty minor updates, such as a new Pride wallpaper and a few very minor tweaks to the Mail app. Probably the biggest new feature in iOS 18.5 is an alert for parents when a child enters the screentime passcode to unlock their iPhone. While the features added with iOS 18.5 are fairly minimal, this is probably because Apple has been trickling out new features all year long. You can hear about all the updates that have come in the 18 series in our upcoming iOS 18.5 and Apple Intelligence free live class, on Wednesday, May 21, at 3:30 p.m. ET.   This Should Be on Your Radar Browser Extensions Require Dangerous Access, but Everyone Uses Them Anyway A web browser, such as Apple Safari or Google Chrome, is just an application that you use to browse the web, or so you might think. But in reality, web browsers are used to access everything from your private messages in your email to your private online purchases. The web browser application is a window into your entire life. Besides the browser itself, web browsers typically offer an app store where you can install extra features called extensions. The most popular ones are things like new color themes for your web browser or an extension to better integrate Zoom into your browsing experience. A new report examines web browser extensions and finds that over 99 percent of business computers have at least one installed, but that more than half of all browser extensions require unsafe levels of access to your data in order to function at all. Read more about the report at Bleeping Computer. The Bottom Line: Avoid browser extensions. Only use ones you carefully select and trust, such as your password manager, malware scanner, or VPN. Protect All Your Devices with 80% Off (sponsored) How Did Notorious Spyware Maker NSO Group Hack iPhones? Lawsuit Reveals Details For years, the spyware maker called NSO Group sold what we have repeatedly called "top-shelf" spyware for spying on iPhones from afar. The software, called Pegasus, has always relied on security vulnerabilities in iPhones; and Apple has consistently sought out and patched those vulnerabilities, so the actual capabilities of Pegasus were constantly changing. Back in 2020, engineers at the encrypted messaging app WhatsApp detected Pegasus accessing its users' data and sued NSO Group. That five-year legal battle is wrapping up now, and TechCrunch has done a great job of summarizing some of the more interesting details that have come out of the lawsuit. Want to Use AI to Generate a Video? Be Wary of Scam Services & Their Malware Researchers at Morphisec discovered a campaign to trick users into downloading infostealer malware by hiding the malware in the supposed output of a fake AI video-generating website called Luma Dreammachine. On the webpage for Luma Dreammachine, users are prompted to upload a single image that AI will supposedly convert into a video. When it comes time to download the video, they're sent a malware package instead, which then steals their password vault and any cryptocurrency stored on the system. So far, this campaign has only targeted Windows users with a new Windows-only infostealer, but there is no reason the same lure couldn't be used with Atomic Stealer or another Mac-compatible infostealer. There is one crucial detail to watch out for: when this fraudulent website sends the user a file that is supposed to be an AI-generated video, it is named "Video Dream MachineAI.mp4       .exe". The extra spaces are meant to hide the real nature of the file. An .mp4 file is a video file, which is what you'd be expecting, but an .exe file is a Windows application, not a video. On some Windows setups, the extra spaces help the .exe text to be truncated and only the .mp4 to be shown. The Bottom Line: When you download anything, whether it be a video or an image, from Pinterest or social media or from a generative AI service, always check to make sure it is the correct file type. You can view filename extensions on a Mac by going to the Finder, clicking the Finder menu > Settings > Advanced > and checking the box for Show all filename extensions. In partnership with ExpressVPN Get Device Security in 90 Seconds If you want to ensure your devices are protected but worry about complex setup situations, I have good news for you. With ExpressVPN, you just install the app, tap "connect", and you're instantly protected. No complex configurations. No tech skills needed. Get ExpressVPN today.   Internet too Slow? It Could Be Spooks Using Your Wi-Fi Router The FBI has issued a warning to owners of old and outdated Wi-Fi routers that those devices are widely exploited by hackers to create what are called botnets. A botnet is a collection of compromised devices on the internet that hackers can use either for distributed computing or as proxies to hide their activity. A botnet could be set up on anything with a processor and an internet connection, from a smart lightbulb to a car; but one very big category is Wi-Fi routers, especially those which are getting older and are no longer updated by their manufacturers. The US Department of Justice recently shut down two botnet-like proxy services called Anyproxy and 5Socks, which had infected outdated Wi-Fi routers and were selling access to those devices to help customers hide their activities. Read more in Security Week. The Bottom Line: Once you connect a device to the internet, it becomes your responsibility to keep that device up to date with the latest software to protect it from malicious access, and to prevent it from being used to scam or harm others. If updates are not available for a device, it may be necessary to replace that device with a newer version. Does Your School Use the iClicker Learning Interface? Hackers May Have Tried to Trick You into Installing Malware iClicker provides an interface for students to take tests, manage their digital course material, and other educational tasks. The company suffered a cyber incident where hackers added a malicious version of a captcha to the iClicker website. iClicker's announcement is not specific about what the malicious captcha was doing, but if it was like other malicious captchas, then it may have instructed the user first to click a button labeled "I'm not a robot," which would cause a set of commands to be copied to the clipboard, then the user would be instructed to open Command Prompt on Windows or potentially the Terminal on Mac, paste in the commands, and then hit enter. When run, the commands would install malware. The Bottom Line: If you see a captcha that asks you to open Command Prompt or Terminal, don't do it. If you used the iClicker service between April 12 and April 16 and encountered any odd captchas, you may wish to run malware scans on the device you were using, double-check your bank account statements, and (as always) freeze your credit. Stop Spam at the Source (sponsored) Google Chrome Adds GenAI Feature to Detect Tech Support Scams Later this month, Google will release Chrome 137, which includes a new feature designed to protect users from tech support scams. If a web page calls for the browser to do one of several things that are common to scam websites (think those pages that pop up fake "you have a virus!" warnings) that will trigger an on-device GenAI model to scan the web page and make a guess as to the intent of the page's designers. The on-device GenAI then transmits its guess to one of Google's servers, which checks other factors like the page's server history, authority rankings, and so forth, and if the server determines that the page is malicious, it will pop up a full-page warning instead of the web page. Microsoft Edge offers a similar feature. The Bottom Line: GenAI may be better at spotting tech support scams than the people who are most often victimized by those scams, so making it easy to use a GenAI to check if a website is malicious could help protect the vulnerable. Privacy-conscious users, however, may balk at having GenAI scan their web pages, even if it is only sending an "interpretation of intent" to Google's servers and not the whole scan. As an alternative, ad-blocking services like NextDNS or Ghostery can help protect users from tech support scams by hiding the malicious ads designed to look like virus warnings. Apple Settles Class Action Lawsuit & You Could Get Paid You might have received an email recently about a settlement for a class action lawsuit against Apple, and for once, at least some of those emails are not scams. A recent class action lawsuit alleged that Apple recorded private communications through accidental Siri activations. The company is choosing to settle the lawsuit (without admitting fault), which means anyone who purchased a Siri-capable device between September 17, 2014, and December 31, 2024, can submit a claim and receive a payment from the settlement. You can get up to $20 per Siri-enabled device. It's not going to make you rich, but having some extra spending money never hurts. The Bottom Line: You can submit a claim through this website, which also offers information explaining the case and who it applies to. Please don't email us for information, we're just a newsletter. We're not related to Apple or any other party in this case. In partnership with TotalAV Protect All Your Devices with 80% Off Don't leave your devices exposed to threats. Get real-time protection against malware, hackers, and spyware with an Award-Winning antivirus. Fully compatible with Windows, Mac, Android, and iOS. Take control of your security and enjoy peace of mind - get 80% off here.     Security Fail of the Week VPNSecure Acquired, Cancels Lifetime Subscriptions A few weeks ago, lifetime subscribers of the VPN provider called VPNSecure abruptly found their subscriptions cancelled. According to an email sent to users, VPNSecure was acquired by a company called InfiniteQuant Ltd in 2023, and its new owners were not aware of the large number of lifetime subscriptions that had been sold. According to the email, the VPN's new owners didn't have the resources to maintain those lifetime subscriptions and simply canceled them. According to Ars Technica, VPNSecure is now offering discounted subscriptions through May 31 for affected users. The Bottom Line: If you were a lifetime subscriber of VPNSecure, you have until May 31 to resubscribe at the discounted rate. But we recommend looking elsewhere for a more reliable VPN.   Security Updates from Apple Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.5 The most recent macOS is 15.5 The most recent tvOS is 18.5 The most recent watchOS is 11.5 The most recent visionOS is 2.5 Get Device Security in 90 Seconds (sponsored)   Security Skills Answer The correct answer is E: all of the above. The email address that sent the text is visible at the top of the message, and it's a big red flag. The text attempts to create urgency. Scams usually depend on creating a sense of urgency to encourage people to make hasty and regrettable decisions. In this case, the urgency is contradictory: they claim that a charge has been stopped, but they also claim that you have to call them or else the charge will go through. Which is it? Usually when your bank stops a charge, you have to call them, or else it will not go through. The link is not blue or clickable. Apple has a security feature that can detect if a link in a text message leads to a web page that is very new. Scammers create look-alike websites to phish passwords, but since those look-alikes are taken down as soon as they're discovered, they have to constantly create new ones. This means that a look-alike web page will almost always be very new, and when Apple detects that the site is new, it will not enable the link in the message. When you see a link in a text message that is not blue and clickable, that's a red flag. If you enter the phone number from the message in a search engine, you might find that it's not a number associated with Apple (this one wasn't). This technique doesn't always work, because internet white pages websites don't always turn up reliable results, but it's a valid test to try. The text is garbled and includes capitalization and punctuation errors. Poor editing is, alas, all too common, and not automatically an indicator of a scam. But official communications from major companies are unlikely to have this many errors, so this is a potential red flag as well.   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.   Next Steps In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. Interested in keeping your internet connection private? Check out: Keep Your Web Browsing Activity Private What Is a VPN on iPhone & How Does It Work?   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful