iLeakage: Unpatched Safari vulnerability – iOS 17.1 & macOS 14.1 released

[German]Apple has already released iOS 17.1 (also iPadOS) and macOS 14.1 on October 25, 2023. iOS 17.1 probably fixes an Exchange synchronization bug (described here in the blog), as a reader reports. In addition, a bug that reveals the MAC address to iPhones is eliminated. Furthermore, a vulnerability called iLeakage became public the other day. The Safari browser reveals sensitive information such as passwords under iOS and macOS. This vulnerability has not been patched yet.


iOS 17.1 and macOS 14.1 released

First, a post from Wednesday, October 25, 2023, a date when Apple released updates for iOS/iPadOS 17.1 and for macOS 14.1.

iOS/iPadOS 17.1

Gerold had already pointed out the released iOS 17.1 in this comment and wrote that the update is more than 1GB in size. Apple describes the fixes and closed security fixes in iOS (iPhone) and iPadOS (iPad) here. The OS update is available for iPhone XS and above, iPad Pro 12.9-inch 2nd generation and above, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and above, iPad Air 3rd generation and above, iPad 6th generation and above, and iPad mini 5th generation and above. The release notes can be accessed here.

Gerold pointed out in a comment, that iOS 16 has been updated to iOS 16.7.2. Apple has revealed details here.

Exchange Active Sync bug fixed with iOS 17.1

I had reported in the blog post Exchange Active Sync-Bug in iOS 17.0.3 about a nagging bug that was causing problems with Active Sync sync with Exchange on iPhones running iOS 17.0.3. When managing appointments, the (appointment commitments are delivered multiple times. Several readers had confirmed these problems. Michael checked in on October 27, 2023 in this comment and writes that the bug is now fixed with iOS 17.1.

Bug fix for privacy feature (leaked MAC address)

Although Apple claimed since 3 years, that iPhones has a Wi-Fi privacy feature, iPhones have been giving away the unique MAC to Wi-Fi networks. This bug, which reveals the MAC address of the iPhone, is also supposed to be fixed in iOS 17.1, as ArTechnica describes in this article.

macOS 14.1 (Sonoma)

Apple has described the security fixes included in the new macOS 14.1 update (name Sonoma) on this page. Quite a few vulnerabilities in the operating system have been fixed. The release notes for macOS 14.1 can be viewed on this Apple page.


iLeakage: Vulnerability in Safari

The Safari browser on the iOS/iPadOS and macOS operating systems has a vulnerability known as iLeakage, which allows attackers to retrieve the user's personal data such as passwords. It is a side-channel attack (based on the Spectre principle) that is exploitable on all Apple devices with CPUs from the A or M series.

iLeakage in Safari

Four security researchers have presented this attack method, for which there is no patch yet, in a PDF document. The vulnerability probably affects all browsers that are based on Apple's WebKit. A fix exists since September 2023, but is probably not rolled out yet due to instabilities. An language article with explanations can be found at ArsTechnica.

Cookies helps to fund this blog: Cookie settings

This entry was posted in ios, macOS, Security and tagged , , , , . Bookmark the permalink.

2 Responses to iLeakage: Unpatched Safari vulnerability – iOS 17.1 & macOS 14.1 released

  1. Jeff says:

    Hi. Stumbled on this site while trying to troubleshoot the Exchange Active Sync issue. We have users on 17.2 who still have this problem (multiple non-stop replies going out from iOS).

    • Nico says:

      Same here … log in and out from the calendar on iphone works for some days .. but think 17.2.1 is returning this Problem

Leave a Reply

Your email address will not be published. Required fields are marked *