[ad_1]
Apple’s iOS 17.3 was released a month ago, and many security-conscious iPhone users have already upgraded to the latest software. However, many more cautious iPhone users prefer to wait to update their device in case a bug occurs.
In the case of iOS 17.3, waiting is actually not a good idea, as some of the security flaws patched in the upgrade have been exploited in real attacks.
With iOS 17.4 set to be released in the coming days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204, by researcher Jubaer from security firm Bitdefender. Reported by Alnazi.
“Apple’s Shortcuts application, designed to enhance user automation, could inadvertently become a potential vector for privacy violations,” Alnazi wrote in a blog post explaining the nature of the vulnerability, its potential impact, and more. , describes recommended mitigations.
What is CVE-2024-23204? How harmful is it?
CVE-2024-23204, fixed in iOS 17.3, is an Apple Shortcuts issue that could allow an attacker to access sensitive data with certain actions without prompting the user.
According to Apple’s support page detailing the iOS 17.3 fix, the issue was resolved with additional permission checks. Alnazi reports to his iPhone manufacturer (@h33tjubaer), this flaw has been given a CVSS score of 7.5. This occurred along with another of his CVEs, CVE-2024-23203.
This issue affects macOS and iOS devices running versions of macOS Sonoma earlier than 14.3, and iOS devices running versions earlier than iOS 17.3 and iPadOS 17.3, respectively.
Shortcuts is a visual scripting application developed by Apple and available for iOS, iPadOS, macOS, and watchOS operating systems. Users can share with others, but this flexibility puts vulnerabilities at risk.
This is because a user could unknowingly import a shortcut that could exploit CVE-2024-23204. “Shortcuts are a widely used feature for efficient task management, so this vulnerability raises concerns that malicious shortcuts could be inadvertently spread through various sharing platforms. ” explained Alnaji.
And for CVE-2024-23204, shortcut files can bypass Transparency, Consent, and Control (TCC), Apple’s macOS and iOS security framework that governs an application’s access to a user’s sensitive data and system resources. It was possible to create. . “TCC ensures that apps explicitly request permission from users before accessing certain data or functionality, enhancing user privacy and security,” Alnazi wrote.
In a blog and video, he demonstrated how iPhone users can install malicious shortcuts.
what will you do
So how can you avoid this problem? The answer is very simple. If you haven’t done so already, update to iOS 17.3 now. This means installing the latest software, iOS 17.3.1. Bitdefender echoes this advice, stating that iPhone users should update their macOS, iPadOS, and watchOS devices to the latest versions now.
Additionally, be careful when running shortcuts from untrusted sources and check regularly for security updates and patches from Apple.
follow me twitter Or LinkedIn.
[ad_2]
Source link
