APPLE

iOS 17.4 includes 4 important security fixes, 2 of them have been used

Restore clarity with MacPaw's CleanMyPhone, a new AI-powered cleaning app that quickly identifies and removes blurry images, screenshots and other clutter from your device. Download your free trial now.

iOS 17.4 is available to all users and brings a ton of changes, including new emoji, a CarPlay update, changes to the EU App Store, quantum security for iMessage, and more. However, this release also contains important security fixes. Here are all the details.

Just after launching iOS 17.4 to all users today, Apple has shared details of important security fixes on its website.

2 vulnerabilities fixed and more

  • Was fixed ​​kernel bugthat allowed attackers to “bypass kernel memory protection.”
    • Apple is aware of reports of active exploitation of this vulnerability
  • The RTKit flaw also allowed attackers to &#8220 ;bypass kernel memory protection .”
    • Apple is aware of reports of active exploitation of this vulnerability

The other two flaws concerned accessibility, which allowed the app to “read sensitive location information,” and Safari's private browsing, which could show locked tabs visible for a short time.

Here's the full security release. Notes:

More CVEs coming soon.

Accessibility

Available for: iPhone XS and later, iPad Pro 12, 9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Impact: The application may read sensitive location information.

Description. The privacy issue has been addressed with improved editing of personal data for log entries.

CVE-2024-23243: Christian Dinka of “Tudor Vianu” National High School of Computer Science, Romania

Kernel

Available on: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation. Impact: An attacker with arbitrary kernel read/write capabilities may be able to bypass kernel memory protection. Apple is aware of a report of potential exploitation for this issue.

Description: A memory corruption issue has been addressed through improved validation.

CVE-2024-23225

RTKit

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6 gen 1 and later, and iPad mini 5 gen and later

Impact: An attacker with arbitrary kernel read/write capabilities may be able to bypass kernel memory protection. Apple is aware of a reported potential exploit for this issue.

Description: A memory corruption issue has been addressed through improved validation.

CVE-2024-23296

Safari Private Browsing

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation Impact: User's locked tabs may be briefly displayed when switching tab groups in a locked state. Private browsing enabled

Description: A logic issue was addressed with improved state management.

CVE-2024-23256: Om Kothawade

Additional recognition

AirDrop

We would like to acknowledge Christian Dinke of “Tudor Vianu” National High School of Computer Science, Romania, for assistance.

View mail dialogue

We would like to acknowledge the assistance of an anonymous researcher.

NetworkExtension

We would like to thank Mathie Vanhoef (KU Leuven University) for his help.

Settings

We would like to thank Christian Scalese, Logan Ramgoon, Lucas Monteiro, Daniel Monteiro, Felipe Monteiro and Peter Wattie for their assistance.

Leave a Reply

Your email address will not be published. Required fields are marked *