IOS 17.4 Fixes Two Big IPhone Security Flaws

On Tuesday, Apple released iOS 17.4 and iPadOS 17.4 for compatible iPhones and iPads. It’s a significant update —at least if you live in the EU , which features third-party app stores and support for non-WebKit web browsers—but the rest of the world also gets some cool new features thanks to automatic transcription in Apple Podcasts. up to 118 new emoticons.

However, new features aren’t the only reason you should prioritize this update for your iPhone or iPad. In fact, you should update your Apple devices as soon as possible since iOS and iPadOS 17.4 also fixes two serious zero-day security vulnerabilities.

Security updates in iOS and iPadOS 17.4

While new Apple software updates are usually accompanied by release notes—a list of features, changes, and bug fixes in the update—the company is typically slower to release security notes about the update. Hours after releasing version 17.4 , Apple has finally published its security notes , detailing the four security fixes it includes for your iPhone or iPad.

Two of these fixes are less severe: one is a fix for an accessibility flaw that could allow an app to read sensitive location information, and the other is a fix for a Safari private browsing flaw that can reveal locked tabs when switching. groups of tabs in private browsing.

However, it is much more important to address the other two vulnerabilities. Both patches, one for the kernel vulnerability (the kernel of iOS and iPadOS) and the other for the RTKit vulnerability (the platform for managing time functionality of iOS and iPadOS), allow an attacker to bypass kernel memory protection, allowing him to gain access to memory allocated for the most basic OS functions your iPhone or iPad.

Besides being a frightening prospect, these two vulnerabilities are especially serious because Apple has confirmed that there are known exploits for them. This means that someone somewhere not only knows about these two shortcomings, but also took advantage of them. Therefore, all of us who have one of these Apple devices need to update it as soon as possible.

In particular, the kernel vulnerability is so serious that Apple has also released iOS and iPadOS 16.7.6 updates for iPhone 8 and later. They also distributed iOS and iPadOS 15.8.2 for iPhone 6S and later, but didn’t release any security notes, so we can’t say what exactly these updates fix.

You can read the full security notes for iOS and iPadOS 17.4 below:

iOS 17.4 and iPadOS 17.4

Released March 5, 2024

More CVEs coming soon.

Availability

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 1st generation and later, and iPad mini 5th generation and later

Impact. The application can read sensitive location information.

Description. The privacy issue has been addressed with improved personal data editing for journal entries.

CVE-2024-23243: Cristian Dinca from Tudor Vianu National High School of Computer Science, Romania.

Core

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 1st generation and later, and iPad mini 5th generation and later

Impact. An attacker with arbitrary kernel read and write capabilities could bypass kernel memory protection. Apple is aware of a report that this issue may have been exploited.

Description. A memory corruption issue has been addressed with improved validation.

CVE-2024-23225

RTKit

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 1st generation and later, and iPad mini 5th generation and later

Impact. An attacker with arbitrary kernel read and write capabilities could bypass kernel memory protection. Apple is aware of a report that this issue may have been exploited.

Description. A memory corruption issue has been addressed with improved validation.

CVE-2024-23296

Safari Private Browsing

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 1st generation and later, and iPad mini 5th generation and later

Impact. A user’s locked tabs may appear briefly when switching tab groups while Locked Private Browsing is enabled.

Description. The logic issue has been addressed with improved state management.

CVE-2024-23256: Om Kothawade

How to Update your iPhone or iPad to Protect Your Devices

Whether you’re using iOS 17, iOS 16, or iOS 15, you should update your iPhone or iPad immediately. To do this, go to Settings > General > Software Update . Allow your device to search for a new update, and then, if available, follow the onscreen instructions to download and install the latest version. If you have automatic updates enabled, your device can update itself when connected to a network and Wi-Fi, but this may take a while. The fastest way to update is to do it manually.

More…

Leave a Reply