Apple has released iOS 17.0.3, an emergency iPhone update fixing two security flaws—one of which is already being used in real-life attacks.
Apple doesn’t give much detail about the issues fixed in iOS 17.0.3 to give people as much time as possible to update their iPhones before more attackers can get hold of the details.
The first flaw patched in iOS 17.0.3 is an issue in the Kernel at the heart of the iOS operating system tracked as CVE-2023-42824. Apple said the issue fixed in iOS 17.0.3 could allow an adversary to elevate their privileges—if they can access it locally.
While this makes it more difficult for remote attackers to exploit, the flaw is already being used in attacks. Apple is “aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the iPhone maker said on its support page.
The second issue fixed in iOS 17.0.3 is a vulnerability in open source web technology WebRTC tracked as CVE-2023-5217 that could allow an attacker to execute code. This issue affects multiple browsers and platforms and has already been patched in Google’s Chrome browser and Mozilla’s Firefox.
Google’s researchers said last week that the Heap buffer overflow in vp8 encoding in libvpx was being exploited by unnamed spyware vendors.
Update Now To iOS 17.0.3
It’s the third iOS update in as many weeks—with the iPhone maker already fixing flaws used in spyware attacks.
The emergency timing of iOS 17.0.3 shows it’s an important one. “The urgency of the release from Apple highlights how important it is to install iOS 17.0.3,” says independent security researcher Sean Wright.
He also warns that the WebRTC vulnerability could be chained with the local Kernel exploit “to gain remote control over a victim’s device.”
Given that at least one of the issues fixed in iOS 17.0.3 is already being used in real-life attacks, it’s a good idea to update your iPhone now.
However, check your privacy settings once you’ve updated to iOS 17.0.3, as security researcher Tommy Mysk has discovered an iOS 17 issue that can turn on Significant Locations and iPhone Analytics when you had previously turned these off.
If you haven’t already updated to iOS 17, you might be wondering if there is an iOS 16 fix for the same vulnerability. At the time of writing, Apple has only issued iOS 17.0.3, which could mean updating to the latest iPhone software iOS 16.7 is enough to protect you.
But the fix is not listed in the iOS 16.7 security details, so it’s also possible Apple is about to issue an iOS 16 patch. Keep an eye on my Forbes page for updates.
The iOS 17.0.3 upgrade also fixes an overheating issue in iPhone 15s, so users of Apple’s newest device should be updating urgently.
If you are already on iOS 17, updating to iOS 17.0.3 is a no-brainer. This is an important update you should apply right now, so go to your Settings > General > Software Update and download and install iOS 17.0.3 as soon as possible.
Read the full article here
