Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.
We rated the exploited vulnerabilities as “important”, not “critical”. They appear to only allow for privilege escalation.
iOS 17.4 and iPadOS 17.4
iOS 16.7.6 and iPadOS 16.7.6
CVE-2024-23243 [important] Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to read sensitive location information
x
CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
x
x
CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
x
CVE-2024-23256 [moderate] Safari Private Browsing
A logic issue was addressed with improved state management.
A user’s locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled
x
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.