Security News > 2024 > May > Apple backports iOS zero-day patch, adds Bluetooth tracker alert
Apple has backported the patch for CVE-2024-23296 to the iOS 16 branch and has fixed a bug in MarketplaceKit that may allow maliciously crafted webpages to distribute a script that tracks iOS users on other webpages.
The company has also added a new capability to iOS 17 that will alert users if an unknown Bluetooth tracker is "Seen" moving with them.
The fix for the RTKit zero-day - which has been patched in iOS and iPadOS 17.4, macOS Sonoma, watchOS, tvOS and visionOS in March 2024 after reports of in-the-wild exploitation - has been backported only to Ventura, iOS 16.7.8 and iPadOS 16.7.8.
In March 2023, Apple has introduced a new URI scheme in iOS 17.4 to allow EU users to install alternative marketplace apps from developers' websites.
Apple and Google announced that iPhones and Android 6.0+ devices will from now alert users to the presence of unknown Bluetooth tracking devices.
"If a user gets on their iOS device, it means that someone else's AirTag, Find My accessory, or other industry specification-compatible Bluetooth tracker is moving with them. It's possible the tracker is attached to an item the user is borrowing, but if not, iPhone can view the tracker's identifier, have the tracker play a sound to help locate it, and access instructions to disable it," Apple explained.
News URL
https://www.helpnetsecurity.com/2024/05/14/ios-bluetooth-tracker-alert/
Related news
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-03-05 | CVE-2024-23296 | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved validation. | 7.8 |