Apple has issued iOS 17.4, along with a warning to update now. That’s because iOS 17.4 fixes at least four security issues, two of which are already being used in real-life attacks.
Apple doesn’t give many details about what’s fixed in iOS 17.4, to ensure as many iPhone users as possible can update before attackers get hold of the details. The first already-exploited flaw is an issue in the Kernel at the heart of the iPhone operating system, tracked as CVE-2024-23225.
Using the issue fixed in iOS 17.4, an attacker with arbitrary kernel read and write capability might be able to bypass memory protections, Apple said on its support page. “Apple is aware of a report that this issue may have been exploited,” Apple said.
Apple has also fixed this single issue in iOS 16.7.6 for users of older devices.
Another bug in RTKit, the real-time operating system based on the RTKit framework and is used in Apple devices such as AirPods, Siri Remote, Apple Pencil 2 and Smart Keyboard Folio is tracked as CVE-2024-23296.
According to Apple, the flaw fixed in iOS 17.4 “could allow an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.”
Again, Apple said it “is aware of a report that this issue may have been exploited.”
Exploiting the two issues could lead to compromising the entire device, says Sean Wright, head of application security at Featurespace.
However it would be “extremely difficult” to successfully perform the attack, he says. “Attackers would need to try to get the victim to install a malicious application or exploit a previous vulnerability that has not been patched.”
Apple’s iOS 17.4 also fixes an issue in Accessibility that could enable an app to read sensitive location information. Meanwhile, a flaw in Safari Private Browsing could cause a user’s locked tabs to be briefly visible while switching tab groups.
Other iPhone updates
Alongside iOS 17.4 and iOS 16.7.6, Apple has also released iOS 15.8.2 and iPadOS 15.8.2 for the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
The iOS 15.8.2 update doesn’t include any CV entries—in other words, there are no security fixes included. Instead, the update for older iPhone probably contains bug fixes, so it’s worth prioritizing if you have an older iPhone.
However, it’s also worth bearing in mind that if your iPhone can run iOS 17, you need to upgrade to the latest software version, iOS 17.4. Apple no longer supports iOS 16 for devices later than the iPhone X, so if you don’t upgrade, you are leaving yourself open to attack.
Update: Apple security fixes in detail, patches more devices
On March 7, Apple released more details about the security issues fixed in iOS 17.4, as well as updates for its other devices.
It’s not clear why these weren’t listed in the initial iOS 17.4 release, but it’s obvious that Apple highlighted the already-exploited flaws to let people know about the urgency of the upgrade.
In addition to the three issues Apple originally detailed as patched in iOS 17.4, the iPhone maker has listed nearly 40 fixes on its security page. It might sound like a large number, but it’s normal for a big point upgrade such as iOS 17.4.
As part of its iOS 17.4 patch list, Apple fixed a whopping six flaws in WebKit, the engine that underpins the Safari browser. Of these, one issue tracked as CVE-2024-23226 could result in arbitrary code execution via processing malicious web content.
CVE-2024-23284 and CVE-2024-23263 could prevent Content Security Policy from being enforced via processing malicious web content.
An additional two flaws in the iPhone kernel were fixed in iOS 17.4. The first could see an app be able to access user-sensitive data, while the second could enable an app to cause unexpected system termination or write kernel memory.
A serious issue in libxpc could see an app able to break out of its sandbox, while a second flaw could enable it to execute arbitrary code out of its sandbox or with certain elevated privileges.
Meanwhile, an issue in the Sandbox itself tracked as CVE-2024-23239 could enable an app to leak sensitive user information.
A bug in ImageIO tracked as CVE-2024-23286 could result in arbitrary code execution. Meanwhile, an issue in Image Processing tracked as CVE-2024-23270 could allow an app to execute arbitrary code with kernel privileges.
Also on March 7, Apple issued Safari 17.4 for its browser, including several WebKit patches, as well as macOS Sonoma 14.4, macOS Ventura 13.6.5, macOS Monterey 12.7.4, watchOS 10.4, tvOS 17.4 and visionOS 1.1 for its Apple Vision Pro.
The macOS, watchOS, tvOS and visionOS updates include the already-exploited issues in the Kernel and RTKit, so it makes sense to treat these as urgent and update your devices as soon as possible.
Why you should update now to iOS 17.4
Apple’s iOS 17.4 comes with seismic changes for EU users to open up iPhones to sideloading. It also includes some great new features, including an update to Stolen Device Protection to allow a security delay in all locations.
Meanwhile, the iOS 17.4 upgrade also includes an update to iMessage that improves iPhone security and privacy. The move to add the PQ3 messaging protocol will help get ahead of future security threats such as quantum based attacks, according to Apple.
With so many issues fixed and two of flaws already being used in attacks, it goes without saying that you should update now to iOS 17.4, if you care about your security.
So, what are you waiting for? Go to your iPhone’s Settings > General > Software Update and download and install iOS 17.4 as soon as possible.
This article was first published on forbes.com and all figures are in USD.
