Apple’s iOS 17.3 launched a month ago and many security-conscious iPhone users have already upgraded to the latest software. But many more cautious iPhone users prefer to wait to update their device, in case any bugs are introduced.
In the case of iOS 17.3, waiting really isn’t a good idea, because some of the security flaws patched in the upgrade are being exploited in real-life attacks.
Now, with iOS 17.4 set to arrive in a matter of days, details have emerged about one of the issues fixed in iOS 17.3, tracked as CVE-2024-23204 and reported by Jubaer Alnazi, a researcher at security outfit Bitdefender.
“Apple’s Shortcuts application, designed to enhance user automation, can inadvertently become a potential vector for privacy breaches,” Alnazi wrote in a blog describing the nature of the vulnerability, its potential impact, and recommended mitigation measures.
What Is CVE-2024-23204 And How Bad Is It?
Fixed in iOS 17.3, CVE-2024-23204 is an issue in Apple’s Shortcuts that could allow an attacker to access sensitive data with certain actions without prompting the user.
The issue was addressed with additional permissions checks, according to Apple’s support page detailing the iOS 17.3 fixes. Reported to the iPhone maker by Alnazi (@h33tjubaer), the flaw has been given a CVSS score of 7.5. It came alongside another CVE, CVE-2024-23203.
The issue affects macOS and iOS devices running versions prior to macOS Sonoma 14.3 and versions prior to iOS 17.3 and iPadOS 17.3, respectively.
Shortcuts is a visual scripting application developed by Apple and provided on its iOS, iPadOS, macOS, and watchOS operating systems. It allows users to share with others—but it’s this flexibility that makes the vulnerability risky.
This is because users can unknowingly import shortcuts that might exploit CVE-2024-23204. “With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms,” Alnazi explained.
And for CVE-2024-23204 it was possible to craft a Shortcuts file that would be able to bypass Transparency, Consent and Control (TCC), a security framework in Apple’s macOS and iOS that governs access to sensitive user data and system resources by applications. “TCC ensures that apps explicitly request permission from the user before accessing certain data or functionalities, enhancing user privacy and security,” Alnazi wrote.
In his blog and via a video, he demonstrated how an iPhone user could install a malicious shortcut.
So should you be worried? If you use Shortcuts, obviously yes, but otherwise, it’s more important to cover yourself for the already-exploited iPhone flaws fixed in iOS 17.3.
Even if you do use Shortcuts, Sean Wright, head of application security at Featurespace says the issue is relatively difficult to exploit. ““To successfully attack a user, you need them to explicitly install the malicious Shortcut. While not impossible, it’s just another barrier that an attacker would have to overcome. It’s great to see this fixed, and it’s certainly an interesting vulnerability, but I think the likelihood of an attack being successful would be rather limited.”
What To Do
So what should you do to avoid this issue? The answer is pretty simple—if you haven’t already, update now to iOS 17.3, which’ll mean installing the latest software, iOS 17.3.1. Bitdefender mirrors this advice, saying iPhone users should update their macOS, ipadOS and watchOS devices to the latest versions now.
In addition, exercise caution when executing shortcuts from untrusted sources and regularly check for security updates and patches from Apple.
Alex Mitchell is your go-to expert for all things mobile. With a passion for the latest smartphones, apps, and mobile innovations, Alex provides in-depth reviews, insightful analyses, and breaking news about the ever-evolving world of mobile technology. Stay connected with Alex to navigate the fast-paced realm of mobile devices.
