Details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by security outfit Bitdefender. Apple’s iOS 17.3 launched a month ago and many security-conscious iPhone users have already upgraded to the latest software. But many more cautious iPhone users prefer to wait to update their device, in case any bugs are introduced.
In the case of iOS 17.3, waiting really isn’t a good idea, because some of the security flaws patched in the upgrade are being exploited in real-life attacks. Now, with iOS 17.4 set to arrive in a matter of days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by a researcher at security outfit Bitdefender.
Apple's Shortcuts application, designed to enhance user automation, can inadvertently become a potential vector for privacy breaches. Fixed in iOS 17.3, CVE-2024-23204 is an issue in Apple’s Shortcuts that could allow an attacker to access sensitive data with certain actions without prompting the user. The issue was addressed with additional permissions checks, according to Apple’s support page detailing the iOS 17.3 fixes.
The issue affects macOS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively. Shortcuts is a visual scripting application developed by Apple and provided on its iOS, iPadOS, macOS, and watchOS operating systems. It allows users to share with others—but it’s this flexibility that makes the vulnerability risky.
With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms. For CVE-2024-23204, it was possible to craft a Shortcuts file that would be able to bypass Transparency, Consent and Control (TCC), a security framework in Apple's macOS and iOS that governs access to sensitive user data and system resources by applications.
To avoid this issue, users are advised to update to iOS 17.3.1, exercise caution when executing shortcuts from untrusted sources, and regularly check for security updates and patches from Apple. The next iPhone update, iOS 17.4, is set to include changes to the App Store and iOS ecosystem to allow sideloading in line with the EU Digital Markets Act.
Apple is making efforts to secure iOS users following the update, but acknowledges that less control over the ecosystem may reduce security. The changes coming in iOS 17.4 will only affect EU users, with countries like the U.K. and U.S. remaining unaffected. The update will also bring major security fixes and new features for all iPhone users.
Apple continues to patch bugs used in real-life attacks, emphasizing the importance of keeping devices up to date with the latest software. Stay informed for more updates on iOS 17.4 and the ongoing efforts to enhance iPhone security.