hanohiki - stock.adobe.com
Apple patches zero-days amid ‘foundational’ post-quantum update
Apple’s iOS 17.4 update not only fixes zero-day flaws that are being actively exploited, but includes important new security protocols to safeguard users against future attacks
Apple has rolled out patches to its mobile iOS and iPadOS operating systems to safeguard against four newly disclosed flaws, two of which are under active exploitation as zero-day vulnerabilities, as part of a wider update that also includes significant new features designed to safeguard the iPhone and iPad estate from future quantum cyber attacks.
The two zero-days are tracked as CVE-2024-23225 and CVE-2024-23296. The first is a memory corruption issue in the device kernel, via which an attacker who has obtained arbitrary kernel read-write capability can bypass kernel memory protections. The second, in RTKit, which is the real-time operating system used in various Apple peripherals, such as Apple AirPod, Apple Pencil and Smart Keyboard Folio, affects the kernel in the same way.
The third vulnerability is an accessibility and privacy issue through which an application may be able to read a user’s location data, tracked as CVE-2024-23243 and attributed to Cristian Dinca of Tudor Vianu National High School of Computer Science in Bucharest, Romania.
The fourth and final vulnerability is a logic issue affecting Safari Private Browsing, through which a user’s locked browser tabs may become briefly visible while switching tab groups with the Locked Private Browsing feature enabled. It’s tracked as CVE-2024-23256 and attributed to researcher Om Kothawade.
As is usual for its security updates, Apple provided no further technical details or exploits of any of the issues fixed.
Mike Walters, founder and president of Action1, a patch management specialist, said: “Apple’s emergency update for iOS has been rolled out with fixes for two zero-day vulnerabilities used in targeted attacks on iPhones, apparently related to spyware. The number of zero-days in Apple’s track record for this year is starting to grow, and though it’s still a long way from last year’s record of 20, the pace is set.
“The list of affected Apple devices is quite extensive and includes the entire iPhone XS, iPhone 8, iPhone X, 5th generation iPad, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st and 2nd generation, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation, iPad Air 3rd generation, iPad 6th generation, iPad mini 5th generation, and newer,” he added. “It is strongly recommended that you apply the updates as soon as possible.”
Quantum leap
The wider iOS 17.4 update is a significant moment for Apple in the cyber domain, delivering a new iMessage security protocol, PQ3, a post-quantum cryptographic protocol that advances end-to-end secure messaging on its devices.
Michael Covington, vice-president of strategy at Jamf, described this as one of the most “foundational” updates to iPhone security ever seen. “[It] delivers a massive jump forward in how messages are protected from the next generation of hacking tools,” he said.
“With PQ3, users of Apple’s iMessage service can be more confident that data sent today will be able to withstand attacks implemented using the quantum computing power that will be available to attackers in the future. This feature alone is a testament to Apple’s strong commitment to user privacy and always being ahead of the curve.”
Rapid7 chief security officer Jaya Baloo added: “Apple’s move to use the PQ3 protocol for post-quantum cryptography is a leap forward in security and protects communications against the future threat posed by quantum computers.
“It has a bunch of cool properties like protections around ‘harvest now, decrypt later’ attacks and ‘Level 3’ encryption, ensuring that data remains secure despite future decryption or key compromise, respectively. It’s also a major advancement because of the worldwide community of users who benefit from improvements to their privacy thanks to PQ3.
“Apple’s move to improve security and privacy for all by improving iMessage and adding PQ3 will hopefully also encourage more global consumer companies to prepare our security and privacy for a post-quantum future,” she added.
The iOS 17.4 also includes a number of other features, many of them intended to comply with the European Union’s Digital Markets Act.
These changes include the ability for third-party developers to make available alternative marketplaces and app downloads without the confines of Apple’s own iOS App Store; the ability to use other, non-WebKit-based browsers, such as Chrome or Firefox; and an application programming interface that lets developers use the iPhone’s existing NFC chip for contactless payments that don’t use Apple Pay or Apple Wallet.
Other, global features include new translation options in its Podcasts application and Siri, better battery life information, enhanced music recognition, and over 100 emoji additions.
Read more about security at Apple
- A zero-day in the open source WebKit browser engine that powers Safari has sparked Apple’s first major patch roll-out of 2024.
- It can be difficult for Apple admins to adapt to every new OS release and the respective compliance changes. That's where the macOS Security Compliance Project comes into play.
- Apple said its new PQ3 protocol for iMessage is the first of its kind and addresses both future threats from quantum computing as well as “harvest now, decrypt later” attacks.
