Apple has released updates for iOS, Safari, and macOS to address a vulnerability in WebKit that has been actively exploited in the wild, and has also added a new security feature in iOS that can prevent access or changes to some sensitive data and features on iPhones if they’re lost or stolen.
The WebKit bug (CVE-2024-23222) is a type confusion vulnerability that an attacker could use to gain remote code execution under some circumstances. The vulnerability affects iOS, iPadOS, macOS Sonoma, Ventura, and Monterey.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” Apple said in its advisory.
The other major change in iOS 17.3 is the addition of a feature called Stolen Device Protection, a security control that limits how and when someone can gain access to or make changes to things such as the Apple ID, passwords, or saved credit card information on the device. The feature requires users to take some extra security measures, such as re-authenticating with Face ID or Touch ID, in order to make changes to sensitive data on the device.
“When Stolen Device Protection is enabled, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.
“In the event that your iPhone is stolen, the security delay is designed to prevent a thief from performing critical operations so that you can mark your device as lost and make sure your Apple account is secure. Some actions such as accessing stored passwords and credit cards require a single biometric authentication with Face ID or Touch ID — with no passcode alternative or fallback — so that only you can access these features.”
The new feature also requires a delay of an hour and another authentication to change the device owner’s Apple ID or passwords. The delay is designed to prevent an unauthorized user or thief from making changes before the device owner can mark it as lost and lock down the Apple ID account.
Users can activate Stolen Device Protection by going to Settings, then Face ID and Passcode, and then entering their passcode. The new feature can be enabled once the passcode is entered.