October 15, 2024 at 01:28PM
Apple released iOS 18 and iPadOS 18 on September 16, 2024, addressing multiple security vulnerabilities. Updates are available for iPhone XS and later, various iPad models, mitigating risks like unauthorized device control, data access, and denial-of-service. Improved state management and validations were key to the fixes.
**Meeting Takeaways: Security Content of iOS 18 and iPadOS 18**
**Release Information:**
– **Apple ID:** 121250
– **Release Date:** September 16, 2024
**Key Vulnerabilities Addressed:**
1. **CVE-2024-40840 / CVE-2024-40830 / CVE-2024-44171**
– **Description:** Improved state management.
– **Impact:** Potential control of nearby devices via accessibility features when an attacker has physical access.
– **Affected Products:** iPhone XS and later, various iPad models starting from 3rd generation.
2. **CVE-2024-40852**
– **Description:** Restricted options on locked devices.
– **Impact:** Access to recent photos without authentication via Assistive Access.
– **Affected Products:** Same as above.
3. **CVE-2024-27874**
– **Description:** Improved state management.
– **Impact:** Risk of denial-of-service by a remote attacker.
– **Affected Products:** Same as above.
4. **CVE-2024-27876**
– **Description:** Improved locking to address a race condition.
– **Impact:** May allow arbitrary file writing when unpacking a malicious archive.
– **Affected Products:** Same as above.
5. **CVE-2024-44124**
– **Description:** Improved state management.
– **Impact:** Potential bypassing of Bluetooth pairing by a malicious input device.
– **Affected Products:** Same as above.
6. **CVE-2024-44131**
– **Description:** Enhanced symlink validation.
– **Impact:** Possible unauthorized access to sensitive user data by an app.
– **Affected Products:** Same as above.
7. **CVE-2024-44191**
– **Description:** Improved state management.
– **Impact:** An app may gain unauthorized access to Bluetooth.
– **Affected Products:** Same as above.
8. **CVE-2024-44198**
– **Description:** Addressed integer overflow through input validation.
– **Impact:** Malicious web content might cause unexpected process crashes.
– **Affected Products:** Same as above.
9. **CVE-2024-40791**
– **Description:** Enhanced private data redaction in logs.
– **Impact:** Possible access to user contacts by an app.
– **Affected Products:** Same as above.
10. **CVE-2024-44183**
– **Description:** Improved error handling.
– **Impact:** Apps may cause denial-of-service.
– **Affected Products:** Same as above.
11. **CVE-2024-44184**
– **Description:** Additional restrictions implemented for permissions.
– **Impact:** Apps may access user-sensitive data.
– **Affected Products:** Same as above.
12. **CVE-2024-40863 / CVE-2024-44139 / CVE-2024-44180**
– **Description:** Improved checks to bolster security.
– **Impact:** Potential access to contacts from the lock screen by a physical attacker.
– **Affected Products:** Same as above.
**General Impact:**
– Many vulnerabilities involve issues related to physical access, Bluetooth security, unauthorized app access to sensitive information, and potential denial-of-service situations.
– The updates are critical for maintaining the security and integrity of iOS 18 and iPadOS 18 devices.
**Updates Availability:**
– Updates are available for the following products:
– iPhone XS and later
– iPad Pro 13-inch and various other iPad models (12.9-inch 3rd gen, 11-inch 1st gen, iPad Air 3rd gen, iPad 7th gen, iPad mini 5th gen, etc.)
**Next Steps:**
– Ensure updates are applied to affected devices to mitigate identified vulnerabilities and enhance security.
Feel free to let me know if you need further details or clarifications on specific vulnerabilities!