Three days after launching iOS 17, Apple has issued iOS 17.0.1 with three important security patches. Notably, Apple says it’s aware all of the fixed vulnerabilities were reported as being actively exploited.
Shortly after releasing iOS 17.0.1 along with iPadOS 17.0.1, watchOS 10.0.1, and more with “important bug fixes and security updates,” Apple shared the vulnerability details on its security page.
3 actively exploited flaws patched
One was a kernel flaw, another bypasses signature validation issue, and the last was a WebKit vulnerability that allowed arbitrary code execution.
Apple says that each of the three flaws was reported as actively exploited prior to 16.7. For fixes, iOS 17.0.1 brings “improved checks” while the third saw “certificate validation issue” addressed to protect against the previously discovered bugs.
While it’s best to update to the new release to get the improved security, keep in mind you’ll need to install iOS 17.0.1 on your iPhone 15/15 Pro before restoring from a backup with this software.
Here are the CVE’s for each fixed flaw:
Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
Security
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: A certificate validation issue was addressed.
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group