Apple has launched its first major update for all users since debuting iOS 17 in September. iOS 17.1 comes with a range of security patches and none of them were identified as exploited in the wild ahead of the fixes.
Per usual, Apple shared the details of the latest vulnerability fixes on its security page.
Patches range from fixing security bugs in Contacts, Find My, Kernel, Passkeys, Photos, Siri, Weather, WebKit, and more.
Fortunately, there were no known reports of any of the security flaws being actively exploited ahead of Apple releasing the fixes.
For more details on what is new with the releases feature-wise, check out our full coverage:
- Apple releases iOS 17.1 with AirDrop, StandBy, and Music features plus 7 bug fixes
- watchOS 10.1 for Apple Watch now available with double tap gesture and NameDrop
- macOS Sonoma 14.1 is now available with Music update, warranty status feature, and 2 bug fixes
- tvOS 17.1 now available for Apple TV alongside HomePod software update
Here are the full security fix notes for iOS 17.1:
Contacts
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and Csaba Fitzl (@theevilbit) of Offensive Security
CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)
CoreAnimation
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w
Find My
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.
CVE-2023-40413: Adam M.
ImageIO
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-40416: JZ
IOTextEncryptionFamily
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-40423: an anonymous researcher
Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
Description: The issue was addressed with improved memory handling.
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)
Mail Drafts
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Hide My Email may be deactivated unexpectedly
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2023-40408: Grzegorz Riegel
mDNSResponder
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: A device may be passively tracked by its Wi-Fi MAC address
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_co
Passkeys
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to access passkeys without authentication
Description: A logic issue was addressed with improved checks.
CVE-2023-42847: an anonymous researcher
Photos
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Photos in the Hidden Photos Album may be viewed without authentication
Description: An authentication issue was addressed with improved state management.
CVE-2023-42845: Bistrit Dahla
Pro Res
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute
Siri
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An attacker with physical access may be able to use Siri to access sensitive user data
Description: This issue was addressed by restricting options offered on a locked device.
CVE-2023-41982: Bistrit Dahla
CVE-2023-41997: Bistrit Dahla
CVE-2023-41988: Bistrit Dahla
Status Bar
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: A device may persistently fail to lock
Description: The issue was addressed with improved UI handling.
CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymous researcher, Lorenzo Cavallaro, and Harry Lewandowski
Weather
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-41254: Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259836
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 259890
CVE-2023-41976: 이준성(Junsung Lee)
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution
Description: A logic issue was addressed with improved checks.
WebKit Bugzilla: 260173
CVE-2023-42852: an anonymous researcher
WebKit Process Model
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to a denial-of-service
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 260757
CVE-2023-41983: 이준성(Junsung Lee)
Additional recognition
libarchive
We would like to acknowledge Bahaa Naamneh for their assistance.
libxml2
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance.
Power Manager
We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of California, San Diego for their assistance.
VoiceOver
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College Of Technology Bhopal India for their assistance.
WebKit
We would like to acknowledge an anonymous researcher for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date:October 25, 2023
FTC: We use income earning auto affiliate links. More.
Comments