iOS 17.4 includes 4 important security fixes, 2 were exploited

Regain clarity with CleanMyPhone by MacPaw — the new AI-powered cleaning app that quickly identifies and removes blurred images, screenshots, and other clutter from your device. Download it now with a free trial.


iOS 17.4 is here for all users and comes with lots of changes including new emoji, a CarPlay update, EU App Store changes, quantum security for iMessage, and more. However, there are also important security fixes with the release. Here are all the details.

Just after launching iOS 17.4 for all users today, Apple shared the specifics of the important security fixes on its website.

2 reportedly exploited flaws patched and more

  • A kernel flaw was patched that allowed attackers to “bypass kernel memory protections.”
    • Apple is aware of a report this flaw was actively exploited
  • An RTKit flaw also allowed malicious parties to “bypass kernel memory protections.”
    • Apple is aware of a report this flaw was actively exploited

The remaining two flaws were for Accessibility which allowed an app to “read sensitive location information and Safari Private Browsing which may have shown locked tabs as visible for a short time.

Here are the full security release notes:


Additional CVE entries coming soon.

Accessibility

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2024-23243: Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania

Kernel

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23225

RTKit

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23296

Safari Private Browsing

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A user’s locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled

Description: A logic issue was addressed with improved state management.

CVE-2024-23256: Om Kothawade


Additional recognition

AirDrop

We would like to acknowledge Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania for their assistance.

Mail Conversation View

We would like to acknowledge an anonymous researcher for their assistance.

NetworkExtension

We would like to acknowledge Mathy Vanhoef (KU Leuven University) for their assistance.

Settings

We would like to acknowledge Christian Scalese, Logan Ramgoon, Lucas Monteiro, Daniel Monteiro, Felipe Monteiro, and Peter Watthey for their assistance.

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech Blog

See More Posts

Contact us

Partner with Us for Comprehensive IT

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

We Schedule a call at your convenience 

2

We do a discovery and consulting meting 

3

We prepare a proposal 

Schedule a Free Consultation