Details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and … [+]
Apple’s iOS 17.3 was launched a month ago and many security-conscious iPhone users have already upgraded to the latest software. But many more cautious iPhone users prefer to wait to update their device, in case any errors appear.
In the case of iOS 17.3, waiting is really not a good idea, as some of the security flaws patched in the update are being exploited in real-life attacks.
Now, with iOS 17.4 arriving in a few days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by Jubaer Alnazi, a researcher at security firm Bitdefender.
“Apple’s Shortcuts app, designed to enhance user automation, may inadvertently become a potential vector for privacy violations,” Alnazi wrote in a blog post describing the nature of the vulnerability, its potential impact, and recommended mitigation measures.
What is CVE-2024-23204 and how bad is it?
Fixed in iOS 17.3, CVE-2024-23204 is an issue in Apple Shortcuts that could allow an attacker to access sensitive data through certain actions without prompting the user.
The issue was fixed with additional permission checks, according to Apple’s support page detailing the fixes for iOS 17.3. Alnazi reported to the iPhone manufacturer (@h33tjubaer), the bug received a CVSS score of 7.5. It came with another CVE, CVE-2024-23203.
The issue affects macOS and iOS devices with versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3.
Shortcuts is a visual scripting application developed by Apple and available on its operating systems iOS, iPadOS, macOS and watchOS. It allows users to share with others—but it’s this flexibility that makes the vulnerability risky.
This is because users may unknowingly introduce shortcuts that can exploit CVE-2024-23204. “Since shortcuts are a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent spread of malicious shortcuts across various sharing platforms,” explained Alnazi.
And for CVE-2024-23204, it was possible to create a shortcut file that could bypass Transparency, Consent and Control (TCC), a security framework in Apple’s macOS and iOS that governs app access to sensitive user data and system resources. “TCC ensures that applications explicitly seek permission from users before accessing certain data or functionality, improving user privacy and security,” Alnazi wrote.
On his blog and via video, he demonstrated how an iPhone user can install a malicious shortcut.
Should you be worried? If you’re using shortcuts, obviously yes, but otherwise it’s more important to cover for already exploited iPhone flaws fixed in iOS 17.3.
Even if you use shortcuts, Sean Wright, head of application security at Featurespace, says the problem is relatively difficult to exploit. “To successfully attack a user, you must explicitly install a malicious shortcut. While not impossible, it’s just another hurdle the attacker would have to overcome. It’s great to see this fixed and it’s certainly an interesting vulnerability, but I think the likelihood of an attack being successful would be pretty limited.”
What to do
So what should you do to avoid this problem? The answer is pretty simple—if you haven’t already, update to iOS 17.3 now, which will mean installing the latest software, iOS 17.3.1. Bitdefender echoes this advice, saying that iPhone users should update their macOS, ipadOS and watchOS devices to the latest versions now.
Additionally, be careful when executing shortcuts from untrusted sources and regularly check for security updates and patches from Apple.
Apple iPhone Security — What’s Next?
The next iPhone update will be iOS 17.4, which Apple will release in about a week. The iOS 17.4 update is one of the biggest iPhone upgrades to date—at least if you live in the EU.
This is because it involves changes to the App Store and the iOS ecosystem to enable sideloading in line with the EU Digital Markets Act. This puts Apple on par with Google as the iPhone maker will allow users to download apps from other app stores. At this point, it will be approved by Apple—adding security—however, iOS 17.4’s move opens up EU users to cybersecurity threats.
One of the key benefits of owning an iPhone is the security of the closed ecosystem managed by Apple. Unlike rival Google, the iPhone maker owns the hardware, software and operating system. The changes coming in iOS 17.4 will completely change that.
Apple does its best to secure iOS users after updates, with steps like notarizing apps, but the iPhone maker admits that less control over the ecosystem reduces security.
It’s important to note that this change is only coming to EU users, so countries like the UK and the US are not affected. In the future this may change with regulation and user demand, but for now things will remain the same.
There are some cool new features coming in the next update for all iPhone users, like robust security for iMessage and improved anti-theft capabilities.
In the meantime, iOS 17.4 will come with major security fixes, so stay tuned for my release story. Apple is increasingly patching bugs used in real-life attacks. Some security holes are used to perform so-called “zero-click” attacks that do not require any user interaction to install spyware on an iPhone. Although these attacks are highly targeted, the only way to be completely safe is to keep your device up-to-date, installing the latest software as soon as it arrives.
—
Updated February 25 at 10:05 am EST. This article was first published on February 23 at 09:56 EST. Updated to include information about iOS 17.4, Apple’s next major iPhone upgrade.