Details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and … [+]
Apple’s iOS 17.3 was launched a month ago and many security-conscious iPhone users have already upgraded to the latest software. But many more cautious iPhone users prefer to wait to update their device, in case any errors appear.
In the case of iOS 17.3, waiting is really not a good idea, as some of the security flaws patched in the update are being exploited in real-life attacks.
Now, with iOS 17.4 arriving in a few days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by Jubaer Alnazi, a researcher at security firm Bitdefender.
“Apple’s Shortcuts app, designed to enhance user automation, may inadvertently become a potential vector for privacy violations,” Alnazi wrote in a blog post describing the nature of the vulnerability, its potential impact, and recommended mitigation measures.
What is CVE-2024-23204 and how bad is it?
Fixed in iOS 17.3, CVE-2024-23204 is an issue in Apple Shortcuts that could allow an attacker to access sensitive data through certain actions without prompting the user.
The issue was fixed with additional permission checks, according to Apple’s support page detailing the fixes for iOS 17.3. Alnazi reported to the iPhone manufacturer (@h33tjubaer), the bug received a CVSS score of 7.5. It came with another CVE, CVE-2024-23203.
The issue affects macOS and iOS devices with versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3.
Shortcuts is a visual scripting application developed by Apple and available on its operating systems iOS, iPadOS, macOS and watchOS. It allows users to share with others—but it’s this flexibility that makes the vulnerability risky.
This is because users may unknowingly introduce shortcuts that can exploit CVE-2024-23204. “Since shortcuts are a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent spread of malicious shortcuts across various sharing platforms,” explained Alnazi.
And for CVE-2024-23204, it was possible to create a shortcut file that could bypass Transparency, Consent and Control (TCC), a security framework in Apple’s macOS and iOS that governs app access to sensitive user data and system resources. “TCC ensures that applications explicitly seek permission from users before accessing certain data or functionality, improving user privacy and security,” Alnazi wrote.
On his blog and via video, he demonstrated how an iPhone user can install a malicious shortcut.
Should you be worried? If you’re using shortcuts, obviously yes, but otherwise it’s more important to cover for already exploited iPhone flaws fixed in iOS 17.3.
Even if you use shortcuts, Sean Wright, head of application security at Featurespace, says the problem is relatively difficult to exploit. “To successfully attack a user, you must explicitly install a malicious shortcut. While not impossible, it’s just another hurdle the attacker would have to overcome. It’s great to see this fixed and it’s certainly an interesting vulnerability, but I think the likelihood of an attack being successful would be pretty limited.”
What to do
So what should you do to avoid this problem? The answer is pretty simple—if you haven’t already, update to iOS 17.3 now, which will mean installing the latest software, iOS 17.3.1. Bitdefender echoes this advice, saying that iPhone users should update their macOS, ipadOS and watchOS devices to the latest versions now.
Additionally, be careful when executing shortcuts from untrusted sources and regularly check for security updates and patches from Apple.