Apple has issued iOS 17.4, along with a warning to update now. That’s because iOS 17.4 fixes at least four security issues, two of which are already being used in real life attacks.
Apple doesn’t give many details about what’s fixed in iOS 17.4, to ensure as many iPhone users as possible can update before attackers get hold of the details. The first already-exploited flaw is an issue in the Kernel at the heart of the iPhone operating system, tracked as CVE-2024-23225.
Using the issue fixed in iOS 17.4, an attacker with arbitrary kernel read and write capability might be able to bypass memory protections, Apple said on its support page. “Apple is aware of a report that this issue may have been exploited,” Apple said.
Apple has also fixed this single issue in iOS 16.7.6 for users of older devices.
Another bug in RTKit, the real-time operating system based on the RTKit framework and is used in Apple devices such as AirPods, Siri Remote, Apple Pencil 2 and Smart Keyboard Folio is tracked as CVE-2024-23296. According to Apple, the flaw fixed in iOS 17.4 “could allow an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.”
Again, Apple said it “is aware of a report that this issue may have been exploited.”
Exploiting the two issues could lead to compromising the entire device, says Sean Wright, head of application security at Featurespace.
However it would be “extremely difficult” to successfully perform the attack, he says. “Attackers would need to try to get the victim to install a malicious application or exploit a previous vulnerability that has not been patched.”
Apple’s iOS 17.4 also fixes an issue in Accessibility that could enable an app to read sensitive location information. Meanwhile, a flaw in Safari Private Browsing could cause a user’s locked tabs to be briefly visible while switching tab groups.
Apple said additional CVE entries will be “coming soon,” indicating there could be more to the iOS 17.4 update.
Other iPhone Updates
Alongside iOS 17.4 and iOS 16.7.6, Apple has also released iOS 15.8.2 and iPadOS 15.8.2 for the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
The iOS 15.8.2 update doesn’t include any CV entries—in other words, there are no security fixes included. Instead, the update for older iPhone probably contains bug fixes, so it’s worth prioritizing if you have an older iPhone.
However, it’s also worth bearing in mind that if your iPhone can run iOS 17, you need to upgrade to the latest software version, iOS 17.4. Apple no longer supports iOS 16 for devices later than the iPhone X, so if you don’t upgrade, you are leaving yourself open to attack.
Why You Should Update Now To iOS 17.4
Apple’s iOS 17.4 comes with seismic changes for EU users to open up iPhones to sideloading. It also includes some great new features, including an update to Stolen Device Protection to allow a security delay in all locations.
Meanwhile, the iOS 17.4 upgrade also includes an update to iMessage that improves iPhone security and privacy. The move to add the PQ3 messaging protocol will help get ahead of future security threats such as quantum based attacks, according to Apple.
With two flaws already being used in attacks, it goes without saying that you should update now to iOS 17.4, if you care about your security.
So, what are you waiting for? Go to your iPhone’s Settings > General > Software Update and download and install iOS 17.4 as soon as possible.
—
Update 03/06 at 10:50am EST. This article was first published on 03/05 at 02:44pm EST. Updated to include details of the iOS 15.8.2 and iPadOS 15.8.2 update for older devices.