-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-10-25-2023-1 iOS 17.1 and iPadOS 17.1 iOS 17.1 and iPadOS 17.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213982. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Contacts Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to access sensitive user data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and Csaba Fitzl (@theevilbit) of Offensive Security CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) CoreAnimation Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to cause a denial-of-service Description: The issue was addressed with improved memory handling. CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w Find My Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2023-40413: Adam M. ImageIO Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Processing an image may result in disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2023-40416: JZ IOTextEncryptionFamily Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-40423: an anonymous researcher Kernel Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: The issue was addressed with improved memory handling. CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de ) Mail Drafts Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Hide My Email may be deactivated unexpectedly Description: An inconsistent user interface issue was addressed with improved state management. CVE-2023-40408: Grzegorz Riegel mDNSResponder Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: A device may be passively tracked by its Wi-Fi MAC address Description: This issue was addressed by removing the vulnerable code. CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_co Passkeys Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An attacker may be able to access passkeys without authentication Description: A logic issue was addressed with improved checks. CVE-2023-42847: an anonymous researcher Photos Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Photos in the Hidden Photos Album may be viewed without authentication Description: An authentication issue was addressed with improved state management. CVE-2023-42845: Bistrit Dahla Pro Res Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute Siri Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An attacker with physical access may be able to use Siri to access sensitive user data Description: This issue was addressed by restricting options offered on a locked device. CVE-2023-41982: Bistrit Dahla CVE-2023-41997: Bistrit Dahla CVE-2023-41988: Bistrit Dahla Status Bar Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: A device may persistently fail to lock Description: The issue was addressed with improved UI handling. CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymous researcher, Lorenzo Cavallaro, and Harry Lewandowski Weather Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: An app may be able to access sensitive user data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania WebKit Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Processing web content may lead to arbitrary code execution Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 259836 CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic WebKit Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Processing web content may lead to arbitrary code execution Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 259890 CVE-2023-41976: 이준성(Junsung Lee) WebKit Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Processing web content may lead to arbitrary code execution Description: A logic issue was addressed with improved checks. WebKit Bugzilla: 260173 CVE-2023-42852: an anonymous researcher WebKit Process Model Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Impact: Processing web content may lead to a denial-of-service Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 260757 CVE-2023-41983: 이준성(Junsung Lee) Additional recognition libarchive We would like to acknowledge Bahaa Naamneh for their assistance. libxml2 We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance. Power Manager We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of California, San Diego for their assistance. VoiceOver We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College Of Technology Bhopal India for their assistance. WebKit We would like to acknowledge an anonymous researcher for their assistance. This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 17.1 and iPadOS 17.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YlsACgkQX+5d1TXa Ivo6xBAAz5wnchUVfj3YbZf3KoadrXFmkWVjtU6sme4ZgN2+gsX+oF1Cunxvx3N2 lGG1dldfG+gmJ3nmtp9/hBCIMvBt5Bus3NdD2nuJ7IbLbP2YuUOrMX3FDPNB8UPE 84d6wZ7B3VVKVxeUsaZzuDlMCvGySyaVelBTxEdDx6RjsHlOe0LWwqoQJ4rrUOO9 wdBogsDpD4JNt++6UarA1f2+OC1mePdiI9e1t6OI+q92IOZu3/cGDda/rFoL/TpY +iC1n9qkyyEOj3anfFi6fjybQQK/XPYccv4iWdP2xi5nqKDQ95nYlnf2LmI6gMOW JutciLyLzqSI3eHY4cL99/NLpMI7UkgBRNHsNwH9d0mJlVyjIBtevJbWKDJl9iSH 3LeZmeMV1x3WQ9JshGmDYvXWJ9cyppKHRsu5BLeMpzis6dmv3FD+sBbI7Or9REKa hyYP0N8YfTGBcFoTa4r0tx1r51+Dy7uUbuMHDxRbXkTLRReEzmyXyxMC+HcEzLUA q0YWuGwR3kZ9x+mlBKBxj+/4dltzKWg8lxOTC733RR78/vsgbf1M3cFpibsubH0L hC9k7RXnV9AYexsEoasFtHuIQQPErTVJqWYYKi6knM34fn64reitK8224Cy6SXyb o55ZsTVV+XRmuzppiOjMFXupcTUTozdmcyXwMaMKSJYAbkOXtLQ= =iliY -----END PGP SIGNATURE-----