https://apple.news/AbO2MeNqRSbyRx-MRw4PRrw
iOS 17.4—Update Now Warning Issued To All iPhone Users
Kate O’Flaherty, Senior Contributor for Forbes, Mar 5, 2024, 02:44pm EST
Apple has issued iOS 17.4, along with a warning to update now. That’s because iOS 17.4 fixes at least four security issues, two of which are already being used in real life attacks.
Apple doesn’t give many details about what’s fixed in iOS 17.4, to ensure as many iPhone users as possible can update before attackers get hold of the details. The first already-exploited flaw is an issue in the Kernel at the heart of the iPhone operating system, tracked as CVE-2024-23225.
Using the issue fixed in iOS 17.4, an attacker with arbitrary kernel read and write capability might be able to bypass memory protections, Apple said on its support page. “Apple is aware of a report that this issue may have been exploited,” Apple said.
Another bug in RTKit, the real-time operating system based on the RTKit framework and is used in Apple devices such as AirPods, Siri Remote, Apple Pencil 2 and Smart Keyboard Folio is tracked as CVE-2024-23296. According to Apple, the flaw fixed in iOS 17.4 “could allow an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.”
Again, Apple said it “is aware of a report that this issue may have been exploited.”
Exploiting the two issues could lead to compromising the entire device, says Sean Wright, head of application security at Featurespace.
Forbes Daily: Join over 1 million Forbes Daily subscribers and get our best stories, exclusive reporting and essential analysis of the day’s news in your inbox every weekday.
By signing up, you accept and agree to our Terms of Service (including the class action waiver and arbitration provisions), and Privacy Statement. Forbes is protected by reCAPTCHA, and the Google Privacy Policy and Terms of Service apply.
However it would be “extremely difficult” to successfully perform the attack, he says. “Attackers would need to try to get the victim to install a malicious application or exploit a previous vulnerability that has not been patched.”Apple’s iOS 17.4 also fixes an issue in Accessibility that could enable an app to read sensitive location information. Meanwhile, a flaw in Safari Private Browsing could cause a user’s locked tabs to be briefly visible while switching tab groups.
Apple said additional CVE entries will be “coming soon,” indicating there could be more to the iOS 17.4 update.
Why You Should Update Now To iOS 17.4
Apple’s iOS 17.4 comes with seismic changes for EU users to open up iPhones to sideloading. It also includes some great new features, including an update to Stolen Device Protection, which alone make the upgrade worthwhile.
With two flaws already being used in attacks, it goes without saying that you should update now to iOS 17.4, if you care about your security.
Go to your iPhone’s Settings > General > Software Update and download and install iOS 17.4 as soon as possible.
Abycats' Thoughts 