Apple has released iOS 17.0.1 and iPadOS 17.0.1, just days after launching the latest operating systems with much fanfare. This emergency iPhone update, and one that all iPhone and iPad users should apply as soon as possible, comes with an important warning. The security update addresses three critical vulnerabilities, and Apple warns that it is aware of reports that all three may have been actively exploited against versions of the iPhone operating system prior to iOS 16.7. If you are purchasing your new iPhone 15, iPhone 15 Plus, iPhone 15 Pro or iPhone 15 Pro Max at the time of launch, you will need to update the operating system immediately.
What is known about the three iOS security vulnerabilities?
As usual, Apple has released very few details about any of these iOS vulnerabilities, or exploits that exploit them. This is no surprise, as Apple tends to delay such details until more users have had a chance to update their devices to prevent other attackers from creating exploits.
What is known at this stage is that the discovery of CVE-2023-41992 is attributed to Bill Marczak of The Citizen Lab at the Munk School at the University of Toronto, and Maddy Stone of Google’s Threat Analysis Group. This is a kernel vulnerability that could enable an attacker to escalate privileges.
CVE-2023-41991 and CVE-2023-41993
The same two security researchers are also credited with disclosing both CVE-2023-41991 and CVE-2023-41993. The first of these involves a certificate validation issue, and successful exploitation could enable an attacker to bypass such validation using a malicious app. The latter vulnerability is within WebKit, and the act of processing content could lead to arbitrary code execution.
CVE-2023-41991 and CVE-2023-41992 also affect Apple Watch users, and an emergency security update for watchOS 10.0.1 is also now available.
Update to iOS 17.0.1 now
Given that all three of these vulnerabilities have already been exploited, it is imperative that users update to the patched versions of iOS, iPadOS, and watchOS as soon as possible. iPhone users should go to Settings|General|Software Update to download iOS 17.0.1.
The devices that are affected by these already exploited vulnerabilities are: iPhone 6th generation and later, iPad mini 5th generation and later.