Restore clarity with MacPaw's CleanMyPhone, a new AI-powered cleaning app that quickly identifies and removes blurry images, screenshots and other clutter from your device. Download your free trial now.
iOS 17.4 is available to all users and brings a ton of changes, including new emoji, a CarPlay update, changes to the EU App Store, quantum security for iMessage, and more. However, this release also contains important security fixes. Here are all the details.
Just after launching iOS 17.4 to all users today, Apple has shared details of important security fixes on its website.
2 vulnerabilities fixed and more
- Was fixed kernel bugthat allowed attackers to “bypass kernel memory protection.”
- Apple is aware of reports of active exploitation of this vulnerability
- The RTKit flaw also allowed attackers to “ ;bypass kernel memory protection .”
- Apple is aware of reports of active exploitation of this vulnerability
The other two flaws concerned accessibility, which allowed the app to “read sensitive location information,” and Safari's private browsing, which could show locked tabs visible for a short time.
Here's the full security release. Notes:
More CVEs coming soon.
Accessibility
Available for: iPhone XS and later, iPad Pro 12, 9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: The application may read sensitive location information.
Description. The privacy issue has been addressed with improved editing of personal data for log entries.
CVE-2024-23243: Christian Dinka of “Tudor Vianu” National High School of Computer Science, Romania
Kernel
Available on: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation. Impact: An attacker with arbitrary kernel read/write capabilities may be able to bypass kernel memory protection. Apple is aware of a report of potential exploitation for this issue.
Description: A memory corruption issue has been addressed through improved validation.
CVE-2024-23225
RTKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 gen 1 and later, and iPad mini 5 gen and later
Impact: An attacker with arbitrary kernel read/write capabilities may be able to bypass kernel memory protection. Apple is aware of a reported potential exploit for this issue.
Description: A memory corruption issue has been addressed through improved validation.
CVE-2024-23296
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation Impact: User's locked tabs may be briefly displayed when switching tab groups in a locked state. Private browsing enabled
Description: A logic issue was addressed with improved state management.
CVE-2024-23256: Om Kothawade
Additional recognition
AirDrop
We would like to acknowledge Christian Dinke of “Tudor Vianu” National High School of Computer Science, Romania, for assistance.
View mail dialogue
We would like to acknowledge the assistance of an anonymous researcher.
NetworkExtension
We would like to thank Mathie Vanhoef (KU Leuven University) for his help.
Settings
We would like to thank Christian Scalese, Logan Ramgoon, Lucas Monteiro, Daniel Monteiro, Felipe Monteiro and Peter Wattie for their assistance.
