iOS 17.4 Fixes Two Big iPhone Security Flaws


On Tuesday, Apple released iOS 17.4 and iPadOS 17.4 for compatible iPhones and iPads. It’s a substantial update—at least if you live in the E.U., where it introduces third-party app stores and non-WebKit web browser support—but the rest of the world gets some cool new features, too, from automatic transcripts in Apple Podcasts to 118 new emojis.

However, new features are far from the only reason you should prioritize this update for your iPhone or iPad. In fact, you should update your Apple devices as soon as possible, since iOS and iPadOS 17.4 also patch two big zero-day security vulnerabilities.

Security updates in iOS and iPadOS 17.4

While new Apple software updates usually come with release notes—a list of features, changes, and bug fixes in the update—the company is usually slower to release an update’s security notes. In the hours after 17.4’s release, Apple finally issued its security notes, detailing the four security patches it includes for your iPhone or iPad.

Two of these patches aren’t quite as serious: One is a fix for an Accessibility flaw that could allow an app to read sensitive location information, while the other is a fix for a Safari Private Browsing flaw that could reveal your locked tabs while switching tab groups in private browsing.

However, the other two vulnerabilities are much more important to address. Both fixes, one for a Kernel (the core of iOS and iPadOS) flaw and one for an RTKit (the platform for controlling iOS and iPadOS’ time functionality) flaw, allow an attacker to bypass kernel memory protections, which would allow them to take over the memory allocated to your iPhone or iPad’s most basic OS functions.

Aside from being a scary prospect, these two vulnerabilities are especially serious because Apple confirmed that there are known exploits for them in the wild. That means someone, somewhere not only knows about these two flaws, but has taken advantage of them. That makes it imperative for all of us with one of these Apple devices to update as soon as possible.

The Kernel flaw in particular is so severe, Apple also issued updates for iOS and iPadOS 16.7.6 for iPhone 8 and newer. They also seeded iOS and iPadOS 15.8.2 for iPhone 6S and newer, but did not issue security notes, so we can’t say what exactly those updates patch.

You can read the full security notes for iOS and iPadOS 17.4 below:

iOS 17.4 and iPadOS 17.4

Released March 5, 2024

Additional CVE entries coming soon.

Accessibility

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2024-23243: Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania

Kernel

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23225

RTKit

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23296

Safari Private Browsing

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A user’s locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled

Description: A logic issue was addressed with improved state management.

CVE-2024-23256: Om Kothawade

How to update your iPhone or iPad to protect your devices

Whether you’re running iOS 17, iOS 16, or iOS 15, you should update your iPhone or iPad immediately. To do so, head to Settings > General > Software Update. Allow your device to look for the new update, then, when available, follow the on-screen instructions to download and install the latest version. If you have Automatic Updates enabled, your device may update on its own when connected to power and wifi, but this can take some time. The fastest way to update is to do so manually.

Source

Leave a Comment