Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.
We rated the exploited vulnerabilities as "important", not "critical". They appear to only allow for privilege escalation.
| iOS 17.4 and iPadOS 17.4 | iOS 16.7.6 and iPadOS 16.7.6 |
|---|---|
| CVE-2024-23243 [important] Accessibility A privacy issue was addressed with improved private data redaction for log entries. An app may be able to read sensitive location information |
|
| x | |
| CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel A memory corruption issue was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
|
| x | x |
| CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit A memory corruption issue was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
|
| x | |
| CVE-2024-23256 [moderate] Safari Private Browsing A logic issue was addressed with improved state management. A user's locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled |
|
| x | |
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.