October 15, 2024 at 02:09PM
Multiple vulnerabilities affecting iOS 17.6 and iPadOS 17.6 have been addressed, including issues with privacy preferences, app termination risks, and attacker access. Updates are available for iPhone XS and various iPad models. Key fixes include improved input validation, state management, and code-signing restrictions to enhance security.
### Meeting Summary: Security Updates for iOS 17.6 and iPadOS 17.6
**Release Information:**
– **Apple ID:** 120909
– **Release Date:** July 29, 2024
**Security Vulnerabilities Addressed:**
1. **CVE-2024-40774**
– **Description:** Fix for a downgrade issue with additional code-signing restrictions.
– **Impact:** An app may bypass Privacy preferences.
– **Affected Devices:** iPhone XS and later, various iPads (listed).
2. **CVE-2024-40799**
– **Description:** Out-of-bounds read issue with improved input validation.
– **Impact:** Processing a malicious file may cause app termination.
3. **CVE-2024-27873**
– **Description:** Out-of-bounds write issue with improved input validation.
– **Impact:** Malicious video files may cause app termination.
4. **CVE-2024-40815**
– **Description:** Addressed a race condition with additional validation.
– **Impact:** Potential to bypass Pointer Authentication.
5. **General CVEs (CVE-2024-40795, CVE-2024-40805, etc.)**
– **Description:** Various out-of-bounds access issues addressed with improved bounds checking.
– **Impact:** Malicious files may lead to unexpected app termination.
6. **CVE-2024-40784, CVE-2024-27863**
– **Description:** Improved private data redaction for log entries.
– **Impact:** Local attackers may determine kernel memory layout.
7. **CVE-2024-40788**
– **Description:** Type confusion issue with enhanced memory handling.
– **Impact:** May cause unexpected system shutdown.
8. **CVE-2024-40813, CVE-2024-40824**
– **Description:** Improved state management for lock screen issues.
– **Impact:** Physical attackers may access sensitive data via Siri.
9. **User Consent Issues (Multiple CVEs)**
– **Description:** Additional prompts for user consent added.
– **Impact:** Shortcuts may bypass Internet permission requirements.
10. **Locked Device Access (Multiple CVEs)**
– **Description:** Restricting options on locked devices.
– **Impact:** Physical attackers may access contacts from the lock screen.
11. **Open Source Vulnerabilities (CVE-2024-4558, etc.)**
– **Description:** Affected by vulnerabilities in open source code.
– **Impact:** Processing malicious web content may lead to unexpected crashes.
**Impact Assessment:**
– The updates are crucial for maintaining device security and preventing unauthorized access, especially regarding Privacy preferences and data exposure risks.
**Devices for Updates:**
– Available for:
– iPhone XS and later
– iPad Pro models (various generations)
– iPad Air 3rd generation and later
– iPad 6th generation and later
– iPad mini 5th generation and later
**Next Steps:**
– Ensure all eligible devices are updated to address the noted vulnerabilities. Monitor for further security developments and updates.