Apple has rolled out iOS 17.3, emphasizing the importance of immediate updating due to the resolution of 16 security issues, one of which is actively exploited in real-world attacks.
The details of the fixes in iOS 17.3 are intentionally limited by Apple to encourage a swift update across as many iPhone users as possible before attackers can exploit the vulnerabilities. The identified issue tracked as CVE-2024-23222, pertains to a vulnerability in WebKit, the engine supporting Apple’s Safari browser. This flaw could permit an attacker to execute code, and Apple acknowledges awareness of reports suggesting its exploitation.
As part of the iOS 17.3 security upgrade, Apple also addresses three additional WebKit vulnerabilities, two of which could lead to code execution. Another noteworthy fix is for a Kernel flaw tracked as CVE-2024-23208, posing a risk of enabling an adversary to execute arbitrary code with Kernel privileges through an app.
The release of iOS 17.3 follows a series of emergency updates by Apple, some specifically patching vulnerabilities exploited in spyware attacks. These attacks involve compromising iPhones through “zero-click” methods, requiring no user interaction, often leveraging flaws in WebKit.
It is atypical for Apple to incorporate an urgent fix already under attack in a major point upgrade like iOS 17.3. The coincidental timing is considered, but the critical security fixes provide a compelling reason to update promptly.
Beyond security enhancements, iOS 17.3 offers significant feature upgrades, including the introduction of Stolen Device Protection, preventing unauthorized access to data if a device is stolen.
The urgency to update to iOS 17.3 is further underscored by the cessation of security updates for devices running iOS 16. For users with older iPhones, Apple has released updates alongside iOS 17.3. iOS 16.7.5 addresses security issues, including the WebKit flaw (CVE-2024-23222) also patched in iOS 17.3, which is already exploited. Additionally, updates for even older devices, listed as iPhone 6s, iPhone 7, iPhone SE, iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation), are available in the form of iOS 15.8.1 and iPadOS 15.8.1, fixing critical security vulnerabilities.
The severity of the flaws fixed in iOS 17.3, especially the exploited WebKit issue, underscores the urgency of the update. Sean Wright, head of application security at Featurespace, warns that the Kernel-based vulnerability could potentially be combined with WebKit vulnerabilities, granting remote control of a victim’s device. Users are strongly advised to go to Settings > General > Software Update on their iPhones and promptly download and install iOS 17.3.
