APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
- Subject: APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
- From: Apple Product Security via Security-announce <email@hidden>
- Date: Tue, 05 Mar 2024 13:56:43 -0800
- Original-recipient: rfc822;email@hidden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
iOS 17.4 and iPadOS 17.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214081.
Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Additional CVE entries coming soon.
Accessibility
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23243: Cristian Dinca of "Tudor Vianu" National High School of
Computer Science, Romania
Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225
RTKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23296
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: A user's locked tabs may be briefly visible while switching tab
groups when Locked Private Browsing is enabled
Description: A logic issue was addressed with improved state management.
CVE-2024-23256: Om Kothawade
Additional recognition
AirDrop
We would like to acknowledge Cristian Dinca of "Tudor Vianu" National
High School of Computer Science, Romania for their assistance.
Mail Conversation View
We would like to acknowledge an anonymous researcher for their
assistance.
NetworkExtension
We would like to acknowledge Mathy Vanhoef (KU Leuven University) for
their assistance.
Settings
We would like to acknowledge Christian Scalese, Logan Ramgoon, Lucas
Monteiro, Daniel Monteiro, Felipe Monteiro, and Peter Watthey for their
assistance.
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/ iTunes and Software Update on the
device will automatically check Apple's update server on its weekly
schedule. When an update is detected, it is downloaded and the option
to be installed is presented to the user when the iOS device is
docked. We recommend applying the update immediately if possible.
Selecting Don't Install will present the option the next time you
connect your iOS device. The automatic update process may take up to
a week depending on the day that iTunes or the device checks for
updates. You may manually obtain the update via the Check for Updates
button within iTunes, or the Software Update on your device. To
check that the iPhone, iPod touch, or iPad has been updated: *
Navigate to Settings * Select General * Select About. The version
after applying this update will be "iOS 17.4 and iPadOS 17.4".
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXnkGsACgkQX+5d1TXa
IvpgixAAz7+sFhVu3KY/SFEpL0aG9HwoVQqMO7V9dwKwplMCz4kp5Y1YdSKQPnBL
HKXyu1Tq0k8Eg2JoTi9wPMX/7MaarkVtKqa/pdzJzFs4zfbzU8jeSukLmmzLgK7h
crJ8oG9gOCeOxFC4VAS5jUKszD13ghtteIvcK+dUu7bdsrjEzjm42Qwp2lvXaOsl
nsXLyQ5cRzc9271OdnbRPUA5LfZuw0K02E6dV0Rr1+g6XgZ562ELL0Smw15nbz20
ZLnu2/r1e7U1zIMolhHFJ7WbkT/vgc6Z1iKY7if2HQhCwjRDiyzGOMqWiWn95fCK
S5xtqkP/QOxnvfUB9Zc7t3usPAo6RCi5o83Dc7DlodlwCUiOvi4PyNovdijkeN4D
HoOyvk+4xyPiI4LAXYhNHztk4WhTt9vDIHh2wXksoe0nj6TWCEldRc+itnLr8s86
G56lF38HRR/k1aba7W4BGugNkGlfvXCnVaFvNVUr0trCftWwPi57ywsrJBHVWU7B
8GsDS2lipELiCNsCVyVdazBcLNYhwPqvOewbuDRL2iluWOeHvGgsH362cLb/Vm1g
KSglXqmnL691fsvajJX7bBldm9zJ48opsx/oJCnkeLZYbhlxsHeku4nNjPblrOoe
6NTfbVRu2Xhy8t6lgPDXUzVwEj/PXtQ2aP6EDizbX2o1ELwxts0=
=Onyn
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
iOS 17.4 and iPadOS 17.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214081.
Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Additional CVE entries coming soon.
Accessibility
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23243: Cristian Dinca of "Tudor Vianu" National High School of
Computer Science, Romania
Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225
RTKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23296
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation
and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and
later, iPad Air 3rd generation and later, iPad 6th generation and later,
and iPad mini 5th generation and later
Impact: A user's locked tabs may be briefly visible while switching tab
groups when Locked Private Browsing is enabled
Description: A logic issue was addressed with improved state management.
CVE-2024-23256: Om Kothawade
Additional recognition
AirDrop
We would like to acknowledge Cristian Dinca of "Tudor Vianu" National
High School of Computer Science, Romania for their assistance.
Mail Conversation View
We would like to acknowledge an anonymous researcher for their
assistance.
NetworkExtension
We would like to acknowledge Mathy Vanhoef (KU Leuven University) for
their assistance.
Settings
We would like to acknowledge Christian Scalese, Logan Ramgoon, Lucas
Monteiro, Daniel Monteiro, Felipe Monteiro, and Peter Watthey for their
assistance.
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/ iTunes and Software Update on the
device will automatically check Apple's update server on its weekly
schedule. When an update is detected, it is downloaded and the option
to be installed is presented to the user when the iOS device is
docked. We recommend applying the update immediately if possible.
Selecting Don't Install will present the option the next time you
connect your iOS device. The automatic update process may take up to
a week depending on the day that iTunes or the device checks for
updates. You may manually obtain the update via the Check for Updates
button within iTunes, or the Software Update on your device. To
check that the iPhone, iPod touch, or iPad has been updated: *
Navigate to Settings * Select General * Select About. The version
after applying this update will be "iOS 17.4 and iPadOS 17.4".
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXnkGsACgkQX+5d1TXa
IvpgixAAz7+sFhVu3KY/SFEpL0aG9HwoVQqMO7V9dwKwplMCz4kp5Y1YdSKQPnBL
HKXyu1Tq0k8Eg2JoTi9wPMX/7MaarkVtKqa/pdzJzFs4zfbzU8jeSukLmmzLgK7h
crJ8oG9gOCeOxFC4VAS5jUKszD13ghtteIvcK+dUu7bdsrjEzjm42Qwp2lvXaOsl
nsXLyQ5cRzc9271OdnbRPUA5LfZuw0K02E6dV0Rr1+g6XgZ562ELL0Smw15nbz20
ZLnu2/r1e7U1zIMolhHFJ7WbkT/vgc6Z1iKY7if2HQhCwjRDiyzGOMqWiWn95fCK
S5xtqkP/QOxnvfUB9Zc7t3usPAo6RCi5o83Dc7DlodlwCUiOvi4PyNovdijkeN4D
HoOyvk+4xyPiI4LAXYhNHztk4WhTt9vDIHh2wXksoe0nj6TWCEldRc+itnLr8s86
G56lF38HRR/k1aba7W4BGugNkGlfvXCnVaFvNVUr0trCftWwPi57ywsrJBHVWU7B
8GsDS2lipELiCNsCVyVdazBcLNYhwPqvOewbuDRL2iluWOeHvGgsH362cLb/Vm1g
KSglXqmnL691fsvajJX7bBldm9zJ48opsx/oJCnkeLZYbhlxsHeku4nNjPblrOoe
6NTfbVRu2Xhy8t6lgPDXUzVwEj/PXtQ2aP6EDizbX2o1ELwxts0=
=Onyn
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden