iOS 17.0.3 fixes yet more nasty zero-days (and the overheating bug).
Apple has updated iOS 17 again, patching two zero-day vulnerabilities that are already being exploited: iOS 17.0.3 isn’t just for the iPhone 15, but for any supported iPhone or iPad. Seems like Apple’s had one of these fixes since July, but somehow “forgot” to apply it to iOS 17.
If you’re already on iOS or iPadOS 17, you need this update. In today’s SB Blogwatch, we hit the Settings app (yet again).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: DIY self-driving car.
Apple’s Embarrassing Regression
What’s the craic? Sergiu Gatlan reports—“Apple emergency update fixes new zero-day used to hack iPhones”:
“18 zero-days”
CVE-2023-42824 is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads. [Apple] has yet to reveal who found and reported the flaw.
…
CVE-2023-5217 [is] caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec. [It] was discovered by security researcher Clément Lecigne who is part of Google’s Threat Analysis Group (TAG).
…
Since January 2023, Apple has addressed a total of 18 zero-days. … Today’s iOS 17.0.3 release also addresses a known issue causing iPhones running iOS 17.0.2 and lower to overheat.
Should I update? Kate O’Flaherty hammers the point home—“iOS 17.0.3 Update Now Warning”:
“A no-brainer”
It’s the third iOS update in as many weeks. … The emergency timing of iOS 17.0.3 shows it’s an important one.
…
Given that at least one of the issues fixed in iOS 17.0.3 is already being used in real-life attacks [and] if you are already on iOS 17, updating to iOS 17.0.3 is a no-brainer. This is an important update you should apply right now, so go to your Settings > General > Software Update and download and install iOS 17.0.3 as soon as possible.
Which devices are affected? Richard Speed rushes in to answer, slightly snarkily—“Another security update, Apple?”:
“iPhones from the XS and on”
Apple has demonstrated that it can more than hold its own among the tech giants, at least in terms of finding itself on the wrong end of zero-day vulnerabilities. … Apple devices have come under increasing scrutiny from attackers in recent years.
…
Devices for which the fix … is available include iPhones from the XS and on, the 6th generation of the iPad and later models, and the iPad Mini from the 5th generation. … The company dropped support for older models in iOS 17.
What about iOS 16? Questar has the 411:
Versions prior to 16.6 are vulnerable. So if you have updated since June you are fine.
Wait. Pause. 16.6 isn’t vulnerable, but earlier versions are? So it was already fixed in 16.6—two months before 17 was released? Here’s u/STRXP:
Good point. … Interesting that it “regressed” to affect 17.0.2 considering 16.7 was released after 17.
Is Apple to blame? Yes, thinks yeah: [You’re fired—Ed.]
I actually thought iOS 17 would be the “Snow Leopard” update for iOS 16, but it appears that it’s only dragging the bugs from iOS 16 over and creating new ones which require several small point releases to fix. Apple’s software development and QA has really taken a nose dive.
A bit harsh? But Fly Swatter agrees:
This is how modern software engineering works. … “It compiles, ship it!” has been a long standing saying—more so today than just a decade ago.
Or, instead of updating, just enable Lockdown mode? This Anonymous Coward thinks that’s a terrible idea:
Lockdown Mode shuts off functionality. For example, no more JIT JavaScript compilation in Safari. … It also blocks attachments other than images in Messages. … The reason people are only told to use it if they’re a high risk target is because it not only slows down web browsing but also reduces your ability to casually share media.
…
In this case Lockdown Mode would have likely blocked VP8-based attacks in iMessage due to the attachment filter but not dodgy links in Safari. Bear in mind that pwning Safari doesn’t give you full control over the device and attackers are having to chain exploits from userland all the way through to kernel space to spy on people.
Meanwhile, it’s giving u/landdon chills:
Just installed and now my phone is too cold.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Sophia Stark (via Unsplash; leveled and cropped)
Recent Articles By Author