Update Your iPhone Now: iOS 17.4.1 Includes These Security Fixes

[MacRumors]

Apple today provided details about the security fixes included in last week's iOS 17.4.1 and iPadOS 17.4.1 software updates for the iPhone and iPad.

In a support document, Apple said the updates patch an image-related security vulnerability that "may lead to arbitrary code execution."

The full details:

CoreMedia

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2024-1580: Nick Galloway of Google Project Zero

WebRTC

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2024-1580: Nick Galloway of Google Project Zero

To update your iPhone or iPad, open the Settings app and tap General → Software Update.

Apple said it has patched the same vulnerability in macOS 14.4.1 and visionOS 1.1.1 as well.

Article Link: Update Your iPhone Now: iOS 17.4.1 Includes These Security Fixes

 

[twolf2919]

Well, I don't know about you guys, but for me, the update caused FaceID to no longer work. Had to reset FaceID in Settings to make it work again :-(

I think the culprit was the new "Enhance Theft Protection" feature Apple asks you to enable when the phone starts after the update. I was dumb enough to say 'yes' :-(

 

[jz0309]

always good to know, now, why not publish this kind of info together with the actual release?

 

[Avenged110]

Don’t tell me what to do ;P

 

[JosephAW]

I bet we could list more bugs than what they fixed…

 

[GuyDouche]

Still on 16.3. After hearing battery drainage issue seasoned with other bugs, I’ll sit this one out for the time being

 

[klasma]

Nope, staying on iOS 15. May upgrade before iOS 18 though.

 

[NMBob]

They really should be required to list all of the affected versions. iOS16 OK? iOS15 not?

 

[I7guy]

They really should be required to list all of the affected versions. iOS16 OK? iOS15 not?

Nit if an upgrade is available for your device. Those who stay behind “because” are the ones potentially vulnerable.

 

[Lounge vibes 05]

always good to know, now, why not publish this kind of info together with the actual release?

There was a lot of reasons that they might not have wanted to do that.
macOS coming four days after iOS being the biggest, if they’re going to patch the same security flaw best to keep it close to the vest until it’s patched on everything.

They really should be required to list all of the affected versions. iOS16 OK? iOS15 not?

16.7.6 was released at the same time.

 

[Gator5000e]

No 17.4 for me until they allow it to work with watchOS 9.6.3 and so I will stick with 17.3.1.

 

[jz0309]

There was a lot of reasons that they might not have wanted to do that.
macOS coming four days after iOS being the biggest, if they’re going to patch the same security flaw best to keep it close to the vest until it’s patched on everything.

Even on days where all OSs are updated together, they typically do not list details, whether it is bug fixes or security updates.

 

[nightfox818]

always good to know, now, why not publish this kind of info together with the actual release?

It’s part of responsible disclosure. You delay the technical details to give as many users as possible a chance to get updated and patched before releasing the technical details. If they didn’t, they could give bad actors a chance to use the exploit.

 

[jole]

It is scary that somehow we still see arbitrary code execution bugs with image decoders. How it is possible that libraries like this still are not fully isolated from being able to execute code?

 

[jz0309]

It’s part of responsible disclosure. You delay the technical details to give as many users as possible a chance to get updated and patched before releasing the technical details. If they didn’t, they could give bad actors a chance to use the exploit.

the bad actors will try anyway as they know not everyone upgrades anyways ... 2 responses in this thread alone indicating that they are not upgrading ...

 

[Icelus]

This bug was discovered last November and fixed last month.

2502 - project-zero - Project Zero - Monorail

bugs.chromium.org

 

[viktorhun]

Nope, staying on iOS 15. May upgrade before iOS 18 though.

I stay on ios 6.1.3

 

[Urban Splash]

I loved that dock !

 

[now i see it]

makes a person wonder if A-inc intentionally codes obscure holes in their OS only to force users into the endless upgrade train to fix them.

 

[boswald]

I stay on ios 6.1.3
View attachment 2362592

I actually enjoy those icons…

 

[Avenged110]

I stay on ios 6.1.3
View attachment 2362592

Nice. I would probably still be running iOS 6 as well if it hadn't been for T-Mo shutting down UMTS here.

 

[ifxf]

Don‘t know why they now continuously bother you to update using banners. Apparently the notification controls only apply to apps and not the OS.

 

[cyanite]

makes a person wonder if A-inc intentionally codes obscure holes in their OS only to force users into the endless upgrade train to fix them.

Well, not this person, at least.

 

[screenzero]

This couldn't have been a rapid security response-type update? Seems like they don't use that update route very often, when it would be much more effective.

 

[ellpee]

Duolingo no longer functional on any iOS browser: no sound. WTF