Apple on Thursday released iOS & iPadOS 17.0.1 for most iPhones and iPads along with iOS 17.0.2 for the iPhone 15 and 15 Pro lineups, marking the first official updates to Apple’s significant software upgrade for the year of 2023 since it first launched this past Monday.
Upon loading the update on any compatible iPhone or iPad, the OTA software update mechanism merely cites “bug fixes and important security updates for iPhone 15 and iPhone 15 Pro models, but digging deeper into Apple’s ‘About the security content of iOS 17.0.1 and iPadOS 17.0.1” support document, we find that some major security concerns have been addressed:
Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
Security
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: A certificate validation issue was addressed.
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group
The patches appear to be for a kernel vulnerability dubbed CVE-2023-41992, discovered by Bill Marczak of The Citizen Lab that would have been capable of providing elevated privileges on versions of iOS & iPadOS prior to 16.7, a security vulnerability dubbed CVE-2023-41991, also discovered by Marczak that may have made it possible for apps to bypass signature permitted, and finally, a WebKit vulnerability dubbed CVE-2023-41993, which was also discovered by Marczak, that may have enabled arbitrary code execution by way of web content processing.
Because of the significance of these security patches, most iPhone and iPad users are recommended to download and install the latest update by visiting Settings → General → Software Update on their device. There, they can follow the on-screen prompts to install the software update, which should only take a few minutes with a moderate-speed internet connection.
But if you’re not an ordinary iPhone or iPad user, and you instead like to depend on third-party hacks, then Dopamine jailbreak lead developer Lars Fröder (@opa334dev) suggests that those users avoid iOS & iPadOS 16.7 and 17.0.1, as the signature validation bypass bug seems similar in nature to the CoreTrust bug that made perma-signing with TrollStore possible.
Fröder of course warned that it remains to be seen if the bug is truly that powerful or not, but it’s better to be safe than sorry until confirmed otherwise. Remaining skeptical until something happens is probably a safe bet.
When prospective iPhone 15, 15 Plus, 15 Pro, and 15 Pro Max users begin receiving their handsets starting tomorrow, iOS 17.0.2 will be available right out of the box with similar changes to the mobile operating system.
These updates were also joined by similar updates such as macOS 13.6 Ventura for Mac computers and watchOS 10.0.1 for Apple Watches.
Have you updated to iOS or iPadOS 17.0.1 yet? Be sure to let us know why or why not in the comments section down below.