Security & Privacy

Update now: iOS 17.4 and iPadOS 17.4 fix 2 zero-day vulnerabilities

Posted on by

On Tuesday, March 5, Apple released significant operating system updates for iPhone and iPad. The iOS 17.4 and iPadOS 17.4 updates include new features as well as critical security updates. Let’s explore everything you should know about what Apple changed.

Update: Apple released updates for macOS, etc. on Thursday, March 7. Now that Apple has released more details about the iOS security updates, we’ve noted this below.

In this article:

iOS 17.4 and iPadOS 17.4

Available for:
iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Non-security changes in iOS 17.4 and iPadOS 17.4

Apple’s iOS 17 release notes detail a number of significant changes, including the following.

  • There are new emoji; these include a broken chain, a lime, an edible mushroom, a phoenix, and nodding and shaking heads. Apple also introduced variations of 18 existing people emoji; they can now face either direction.
  • Apple Podcasts now includes transcripts, with text that highlights in sync with the audio in English, French, German, and Spanish.

There are other significant changes in iOS 17.4 that Apple did not mention in its release notes. Exclusively in EU countries (due to the new Digital Markets Act), iOS 17 now supports third-party app stores. Additionally, browsers can use their own rendering engines, just like on desktop computers and Android phones; Apple no longer forces developers to use its WebKit engine on iOS. These changes are notably absent from iPadOS 17.4 because the European Commission has not declared iPads to be subject to the DMA. And, of course, non-EU countries do not get these changes, either.

Security fixes and improvements in iOS 17.4 and iPadOS 17.4

On the company’s security release notes page, Apple links to details about some of the security issues patched in iOS and iPadOS 17.4:

Accessibility

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2024-23243: Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania

 

Kernel

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23225

 

RTKit

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23296

 

Safari Private Browsing

Impact: A user’s locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled

Description: A logic issue was addressed with improved state management.

CVE-2024-23256: Om Kothawade

Notably, Apple states that “Additional CVE entries [are] coming soon.” Apple will probably release this additional information alongside the forthcoming releases of macOS Sonoma 14.4, tvOS 14.4, and watchOS 10.4. Update: Apple updated its other operating systems, and the total number of CVEs addressed in iOS 17.4 now appears to be 39.

Apple also acknowledged that iOS and iPadOS 17.4 include security or privacy improvements related to AirDrop, Mail Conversation View, NetworkExtension, and Settings. The company did not specify CVE numbers or additional details, other than the names of contributors who offered Apple assistance. Update: Apple added several more “Additional recognitions” for iOS 17.4 upon the release of macOS Sonoma 14.4.

iOS 16.7.6 and iPadOS 16.7.6

Available for:
iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

Apple released a security-only update for iOS and iPadOS 16 for older devices that the 17 versions do not support. However, as is typical, Apple did not patch all security flaws for the older operating systems. While the 17 versions address at least four vulnerabilities with CVE numbers, and at least four other security issues for which Apple didn’t assign CVEs, iOS and iPadOS 16.7.6 only address the “exploited” kernel vulnerability, CVE-2024-23225.

Intego has reached out to Apple seeking clarification whether CVE-2024-23296 (the “exploited” RTKit issue) or CVE-2024-23243 (the Accessibility privacy issue) impact iOS or iPadOS 16. If Apple responds (which is unlikely, based on Apple’s track record), we will update this article.

CVE-2024-23256 (the Safari Private Browsing issue) does not apply to iOS or iPadOS 16; Apple introduced Locked Private Browsing in iOS and iPadOS 17.

Update: After releasing a related round of updates for its other operating systems, the total number of patches for iOS 16.7.6 now appears to be 19. Note that this is significantly fewer than the 39 vulnerabilities that Apple addressed in iOS 17.4.

How to install Apple security updates

Due to the severity and in-the-wild exploitation of two of the vulnerabilities, it is ideal to update as soon as you can.

On your iPhone or iPad, you can go to Settings > General > Software Update to update iOS or iPadOS. (Apple calls this an “over the air” or OTA update.) Alternatively, you can connect your device to your Mac, click on the device name in a Finder window sidebar, and check for updates there. You can also back up and update your device by connecting it to a Windows PC and using the Apple Devices app from the Microsoft Store.

Whenever you’re preparing to update macOS, iOS, or iPadOS, it’s a good idea to always back up your data before installing any updates. This gives you a restore point if something does not go as planned. See our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

How can I learn more?

We discussed the March 5 security updates on episode 334 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →