iPhone Users Urged to Take Note of New iOS 17.3 Update Warning

Apple’s updated operating system, iOS 17.3, rolled out a month ago and numerous security-conscious iPhone users have already made the switch to the latest software. However, many more cautious iPhone users opt to delay updating their device to avoid any potential bugs that may arise.

In the context of iOS 17.3, postponing the update isn’t advisable because some of the security vulnerabilities addressed in the upgrade are currently being exploited in real-world attacks.

As the release of iOS 17.4 approaches in a few days, specific details have surfaced regarding one of the security issues resolved in iOS 17.3. Tagged as CVE-2024-23204 and documented by Jubaer Alnazi, a researcher at cybersecurity organization Bitdefender, this vulnerability is now in the spotlight.

“Apple’s Shortcuts application, created to enhance user automation, may unintentionally serve as a potential avenue for privacy breaches,” Alnazi specified in a blog post outlining the vulnerability, its possible consequences, and suggested precautionary measures.

What Is CVE-2024-23204 And How Severe Is It?

With iOS 17.3, CVE-2024-23204 is a vulnerability within Apple’s Shortcuts that could enable a threat actor to obtain sensitive information through certain actions without requesting permission from the user.

Apple’s support documentation detailing the fixes in iOS 17.3 confirmed that the issue was mitigated with additional permission checks. Alnazi (@h33tjubaer), the individual who disclosed the flaw to Apple, assigned a CVSS score of 7.5 to it. Another CVE, CVE-2024-23203, was also addressed in the update.

This vulnerability impacts both macOS and iOS devices running versions prior to macOS Sonoma 14.3 and versions before iOS 17.3 and iPadOS 17.3, respectively.

Shortcuts, a visual scripting tool developed by Apple for its various operating systems, allows users to share their creations. However, this very flexibility exposes the vulnerability associated with it.

The concern lies in the possibility of users unknowingly importing shortcuts that could exploit CVE-2024-23204. Alnazi elaborated, “Given that Shortcuts is widely utilized for efficient task management, the presence of this vulnerability raises apprehensions about the inadvertent dissemination of harmful shortcuts through multiple sharing platforms.”

For CVE-2024-23204, it was plausible to craft a malicious shortcut file that could circumvent Transparency, Consent, and Control (TCC), a security framework in Apple’s macOS and iOS responsible for regulating access to sensitive user data and system resources by applications. Alnazi illustrated how the installation of a malicious shortcut could be executed through an iPhone user in a blog post and video.

Should there be cause for concern? If you utilize Shortcuts, the answer is yes. However, the priority should be on guarding against the iPhone vulnerabilities that have already been exploited and addressed in iOS 17.3.

Sean Wright, the head of application security at Featurespace, offered his perspective on the issue. He mentioned, “To successfully target a user, the malicious Shortcut must be deliberately installed by them. While not impossible, this serves as an additional hurdle that an attacker must overcome. It’s reassuring to see this issue resolved, and while it’s an intriguing vulnerability, the likelihood of a successful attack seems relatively low.”

What To Do

So, what steps should you take to safeguard against this vulnerability? The solution is simple—update to iOS 17.3 immediately, which will entail installing the latest software version, iOS 17.3.1. Bitdefender echoes this advice, recommending that iPhone users promptly update their macOS, ipadOS, and watchOS devices to the most recent versions.

Additionally, exercise caution when running shortcuts from untrustworthy sources and routinely check for security updates and patches from Apple.

Connect with me on Twitter or LinkedIn. 

Leave a Reply

Your email address will not be published. Required fields are marked *