Connect with us

Hi, what are you looking for?

iPhone

New iOS 17.3 Update Warning Issued To All iPhone Users

New iOS 17.3 Update Warning Issued To All iPhone Users


Apple’s iOS 17.3 launched a month ago and many security-conscious iPhone users have already upgraded to the latest software. But many more cautious iPhone users prefer to wait to update their device, in case any bugs are introduced.

In the case of iOS 17.3, waiting really isn’t a good idea, because some of the security flaws patched in the upgrade are being exploited in real-life attacks.

Now, with iOS 17.4 set to arrive in a matter of days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by Jubaer Alnazi, a researcher at security outfit Bitdefender.

“Apple’s Shortcuts application, designed to enhance user automation, can inadvertently become a potential vector for privacy breaches,” Alnazi wrote in a blog describing the nature of the vulnerability, its potential impact, and recommended mitigation measures.

What Is CVE-2024-23204 And How Bad Is It?

Fixed in iOS 17.3, CVE-2024-23204 is an issue in Apple’s Shortcuts that could allow an attacker to access sensitive data with certain actions without prompting the user.

The issue was addressed with additional permissions checks, according to Apple’s support page detailing the iOS 17.3 fixes. Reported to the iPhone maker by Alnazi (@h33tjubaer), the flaw has been given a CVSS score of 7.5. It came alongside another CVE, CVE-2024-23203.

The issue affects macOS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively.

Shortcuts is a visual scripting application developed by Apple and provided on its iOS, iPadOS, macOS, and watchOS operating systems. It allows users to share with others—but it’s this flexibility that makes the vulnerability risky.

This is because users can unknowingly import shortcuts that might exploit CVE-2024-23204. “With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms,” Alnazi explained.

And for CVE-2024-23204 it was possible to craft a Shortcuts file that would be able to bypass Transparency, Consent and Control (TCC), a security framework in Apple’s macOS and iOS that governs access to sensitive user data and system resources by applications. “TCC ensures that apps explicitly request permission from the user before accessing certain data or functionalities, enhancing user privacy and security,” Alnazi wrote.

In his blog and via a video, he demonstrated how an iPhone user could install a malicious shortcut.

So should you be worried? If you use Shortcuts, obviously yes, but otherwise, it’s more important to cover yourself for the already-exploited iPhone flaws fixed in iOS 17.3.

Even if you do use Shortcuts, Sean Wright, head of application security at Featurespace says the issue is relatively difficult to exploit. ““To successfully attack a user, you need them to explicitly install the malicious Shortcut. While not impossible, it’s just another barrier that an attacker would have to overcome. It’s great to see this fixed, and it’s certainly an interesting vulnerability, but I think the likelihood of an attack being successful would be rather limited.”

What To Do

So what should you do to avoid this issue? The answer is pretty simple—if you haven’t already, update now to iOS 17.3, which’ll mean installing the latest software, iOS 17.3.1. Bitdefender mirrors this advice, saying iPhone users should update their macOS, ipadOS and watchOS devices to the latest versions now.

In addition, exercise caution when executing shortcuts from untrusted sources and regularly check for security updates and patches from Apple.

Apple iPhone Security—What’s Next?

The next iPhone update will be iOS 17.4, which Apple will release in about a week. The iOS 17.4 update is one of the biggest iPhone upgrades yet—at least if you live in the EU.

That’s because it includes changes to the App Store and iOS ecosystem to allow sideloading in line with the EU Digital Markets Act. This puts Apple on the same footing as Google because the iPhone maker will allow users to download apps from other app stores. At the current time, these will be approved by Apple—adding security—however the iOS 17.4 move does open up EU users to cybersecurity threats.

One of the key benefits of owning an iPhone is the security of closed ecosystem governed by Apple. Unlike rival Google, the iPhone maker owns the hardware, software and operating system. The changes coming in iOS 17.4 will completely transform this.

Apple is doing its best to secure iOS users following the update, with steps such as Notarization of apps, but the iPhone maker acknowledges that less control over the ecosystem does reduce security.

It’s important to note that this change is only coming for EU users, so countries such as the U.K. and U.S. are not affected. In the future, this could change with regulation and user demand, but for now things will remain the same.

There are some cool new features coming in the next update for all iPhone users, such as robust, future-proof security for iMessage and enhancements to the Stolen Device Protection capability.

Meanwhile, iOS 17.4 will come with major security fixes, so keep your eyes peeled for my story covering the release. Increasingly often, Apple is patching bugs being used in real-life attacks. Some security holes are used to perform so-called “zero-click” attacks requiring no interaction from the user to implant spyware on iPhones. While these attacks are highly targeted, the only way to be completely safe is to keep your device up to date, installing the latest software as soon as it arrives.

Updated on 02/25 at 10:05 EST. This article was first published on 02/23 at 09:56 EST. Updated to include information about iOS 17.4, Apple’s next important iPhone upgrade.

Follow me on Twitter or LinkedIn





The article was first published here

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

iPhone

10:29 a.m. ET, February 22, 2024 AT&T recently applied for a waiver to allow it to stop servicing traditional landlines in California From CNN’s...

Entertainmment

Everyone in Kyle Hausmann-Stokes’ compassionate feature My Dead Friend Zoe has suffered a loss. Merit (Sonequa Martin-Green), a nervous Afghanistan war veteran, is reeling...

Gaming

Video: Bandai Namco Reveals New Gameplay Footage Of Dragon Ball Z: Kakarot DLC 6  Nintendo Life Dragon Ball Z: Kakarot DLC Trailer Previews Goku’s Next...

Computing

Using 3D storage techniques, scientists at the University of Shanghai for Science and Technology developed an optical disk capable of accommodating 1.6 petabits of...