iOS 17.3 and macOS Sonoma 14.3 Patch WebKit Vulnerability That May Have Been Exploited

[MacRumors]

Apple today released iOS 17.3, iPadOS 17.3, tvOS 17.3, and macOS Sonoma 14.3, and it's a good idea to update as soon as possible to the new operating systems because the software patches an actively exploited vulnerability.

The updates fix a bug in WebKit that could allow maliciously crafted content to lead to arbitrary code execution. Apple says on its security support page that it is aware of a report that the issue may have been exploited.

Apple's software releases also address several other security vulnerabilities that were not known to have been used in the wild. iOS 17.3, for example, fixes bugs with the Neural Engine, kernel, Mail, Safari, Shortcuts, and more.

Details on all of the security fixes for each update can be found on Apple's security support site.

Article Link: iOS 17.3 and macOS Sonoma 14.3 Patch WebKit Vulnerability That May Have Been Exploited

 

[IMPOSSIBLEMAN]

Yet no rapid security patch was issued!
I am beyond frustrated with the software division at Apple.

 

[F23]

Thanks for keeping me safe Timmy

 

[goodcow]

So now I have to update to 17.3 for security, even though the TV app is complete garbage now compared to the tv and movie apps on 17.1.

 

[contacos]

Why isnt Apple ever using this security patch thingy to add those quickly over the air?

 

[canadianreader]

Illusion of the safety.

 

[Reeneman]

Yet no rapid security patch was issued!
I am beyond frustrated with the software division at Apple.

Probably it was too big for such an update.

 

[MysteriousStain]

I’m seriously beginning to wonder what “actively exploited” means - a single targeted website? Apple really pushing people to update. The Siri voice bug and battery drain better be patched this time.

 

[adrianlondon]

The entire OS has to be replaced to fix a Webkit error. Who thought that was a smart idea.

If they unbundled the apps (MacOS has the same issue with bundled apps) they could then patch Safari/Webkit in previous releases too.

 

[seek3r]

Yet no rapid security patch was issued!
I am beyond frustrated with the software division at Apple.

So you know nothing about the issue, how complex or how deep into the system it is, or what is required to patch it, and yet you feel the need to crap on the developers. I'm gonna go ahead and bet there's a reason for doing it this way, I promise you they didn't just forget they had the capability you're talking about.

 

[eatrains]

The entire OS has to be replaced to fix a Webkit error. Who thought that was a smart idea.

If they unbundled the apps (MacOS has the same issue with bundled apps) they could then patch Safari/Webkit in previous releases too.

WebKit isn't an app, it's part of the OS.

 

[seek3r]

Illusion of the safety.

There is no such thing as a piece of software without bugs or attack surface, Apple's pretty good at this overall, but literally no one is perfect at it

 

[adrianlondon]

WebKit isn't an app, it's part of the OS.

And can't be updated separately? If not then ok, makes sense what they're doing.

 

[vegetassj4]

Ohh nooo...the logo looks like Android is infecting iOS

 

[I7guy]

Glad it was patched. And 17.3 feels amazingly smooth in my 15PM.

 

[matsan]

And if you were exploited - how do you know? Does an update fix your p0wned device?

 

[star-affinity]

And let me guess – in the 17.4 release there will be a patch that fixes a vulnerability that was discovered in 17.3. 😜

 

[CharlesShaw]

“You get an update! And YOU get an update…”

 

[bodhisattva]

There is no such thing as a piece of software without bugs or attack surface, Apple's pretty good at this overall, but literally no one is perfect at it

And further, the complexity and sophistication of attacks are a game of cat and mouse. The same freedom and incredible power we all have in the OS comes at a price.. attack vectors. Looks at all the freedom of the Android and Windows systems and the plague of attacks possible. I am a long time developer, and it is constantly amazing at how many ways these actors can find to exploit a system using the same features meant to make our digital lives so enjoyable and better. Hate those hellbent on proving they can harm a system rather than the system desperately not to go in total lockdown to protect against. Personally I'm just happy Apple is doing their part to patch and secure the system where so many others take the "it's the user's problem" mindset.

 

[bousozoku]

This is another reason why Firefox and Chrome should be completely without any Safari technology.

 

[klasma]

I’m seriously beginning to wonder what “actively exploited” means - a single targeted website?

What Apple actually says is “Apple is aware of a report that this issue may have been exploited.” So it may or may not be actively exploited.

 

[LV426]

And if you were exploited - how do you know? Does an update fix your p0wned device?

You're not necessarily going to know. Some vulnerabilities can hand over complete control of the phone and leave it in an arbitrary state. One good thing about a complete OS update to fix problems like this, that may have been exploited, is that it should update any corrupted system files to a good state.

 

[klasma]

Glad it was patched. And 17.3 feels amazingly smooth in my 15PM.

The exploits are running super smoothly.

 

[hagar]

The entire OS has to be replaced to fix a Webkit error. Who thought that was a smart idea.

If they unbundled the apps (MacOS has the same issue with bundled apps) they could then patch Safari/Webkit in previous releases too.

As far as I know, Apple never keeps updating several .x versions simultaneously. If the next regular update is around the corner they use that one to roll security patches into. Period. No need to keep 17.2 around. And I can’t blame them.

 

[matsan]

You're not necessarily going to know. Some vulnerabilities can hand over complete control of the phone and leave it in an arbitrary state. One good thing about a complete OS update to fix problems like this, that may have been exploited, is that it should update any corrupted system files to a good state.

I notice your use of the word should....