[German]Apple released the first update, iOS 17.3 for iPhones and iPadOS 17.3 for iPads, yesterday, January 22, 2024. In addition to a "Device Protection" function, it also fixes the first 0-day bug in the operating system. Here is a brief overview of this update.
Advertising
iOS 17.3 and iPadOS 17.3
According to this Apple document the new operating system is to offer theft protection for iPhones via the Stolen Device Protection function.
If the feature is active, the iPhone monitors the location where it is located. If the device is in a location that is not a familiar place like home or work, additional security requirements apply to some features and actions. These requirements prevent someone who has stolen your device and knows your passcode from making important changes to your account or device.
- Biometric authentication with Face ID or Touch ID: Some actions, such as accessing saved passwords and credit cards, require a single biometric authentication with Face ID or Touch ID – without a passcode alternative or fallback option – so that only you can access these feature.
- Security delay: Some security measures, such as changing your Apple ID password, require you to wait an hour and then perform a second Face ID or Touch ID authentication.
If the iPhone has been stolen, the security delay is designed to prevent a thief from performing critical actions. This should give the device owner the opportunity to mark the device as lost. It should also ensure that the stolen person's Apple account is secure. Further details can be found in the linked document.
Vulnerabilities fixed
According to this Apple document, iOS and iPadOS 17.3 contains a number of security fixes. Vulnerability CVE-2024-23222 in WebKit due to a type confusion problem can lead to the execution of arbitrary code via malicious websites. Apple is aware of a report that this issue may have been exploited.
Advertising
The fix affects Phone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later and iPad mini 5th generation and later.
The vulnerability is a 0-day that may be exploited in the wild. Will Dormann points out this 0-day vulnerability in the tweet above.
