Apple patches 3 actively exploited security issues in iOS 17, iPadOS 17 and macOS 13
Apple has released iOS 17.0.1 and iPadOS 17.0.1 just 3 days after the first versions of the new operating systems were seeded. The updates patch 3 actively exploited security issues.
iOS 17.0.1, iPadOS 17.0.1 and macOS 13.6 released with critical security patches
The release notes that were published by the Cupertino company say that the three vulnerabilities affected versions of iOS before iOS 16.7. In case you missed it, Apple had patched a few zero-day exploits that had been used in Pegasus spyware attacks, in iOS 16.6.1, iPadOS 16.6.1 and macOS Ventura 13.5.2.
Apple has credited Bill Marczak of The Citizen Lab at The University of Toronto's Munk School, and Maddie Stone of Google's Threat Analysis Group, for discovering and reporting the security vulnerabilities to Apple.
CVE-2023-41992 tracks the first security issue, which affects a Kernel level flaw in the operating systems, which could have allowed an attacker to elevate their privileges. The bug was addressed with improved checks. The 2nd vulnerability, tracked under CVE-2023-41991, could allow a malicious app to bypass signature validation. Apple addressed a certificate validation issue to fix the bug.
The third security issue is related to WebKit, the engine that powers Apple Safari browser and web apps in iOS and iPadOS. It was tracked as CVE-2023-41993, the vulnerability was related to arbitrary code execution as a result of processing of malicious web content. The issue was addressed with improved checks.
The iOS 17.0.1 update is available for the iPhone XS and later, it has the build number (21A340). The iPadOS 17.0.1, which has the same build number, is now available for the iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later.
macOS Ventura 13.6, watchOS 10.0.1 and watchOS 9.6.3 released
macOS Ventura 13.6 patches the first and second issues mentioned above, the release notes mention that additional CVE entries are coming soon. This likely means that Apple may have also patched the Webkit exploit in Safari, and will update the page to include details about it.
watchOS 10.0.1 and watchOS 9.6.3 are now available with fixes for the first 2 issues described above.
macOS
iOS 16, iPad OS 16.7, macOS Monterey 12.7 ship with security patches
iOS 16.7 (20H19), iPadOS 16.7 (20H19), and macOS Monterey 12.7 have also been released. The iOS 16 and iPadOS 16 updates include patches for all three security flaws.
Safari 16.6.1 is now available for macOS Big Sur and Monterey, and fixes the arbitrary code execution issue described earlier in this article. macOS Monterey 12.7 fixes the Kernel security exploit, Apple says that more CVE entries will be added, so it is possible that the 2nd vulnerability could have also been patched in the update.
iOS 17.0.2 released for iPhone 15 series
The recently launched iPhone 15 series has another update, iOS 17.0.2. The build number of the new version is 21A350. Apple says that it does not contain any security patches, so it likely fixes some other bugs in the software.
Apple seeds macOS 14 Release Candidate 2 to beta participants
Apple is also seeding macOS 14 Release Candidate 2 (23A344) to users who have participated in the beta program. macOS 14 Sonoma will be released on September 26.
