Security sites keep calling iOS 17.4 an "emergency update"?

[Johnny Jackhammer]

I have been reading that 17.4 is an "emergency update" on the web for a few days now. Here is one article but you can run a search and find plenty.

Apple’s 17.4 emergency update patches two iPhone zero-days

Security pros say the zero-days are serious because nation-states tend to exploit flaws to launch spyware attacks on high-risk individuals.

www.scmagazine.com

However, AFAIK, this was just a regular planned update that went through the entire Beta Cycle that included security updates -- in fact Apple listed emoji before "other updates including security updates".

When I think of "emergency security updates" I think of the updates that come in the "Security Responses & Security Files" category.

What was most frustrating was the wild goose chase I went on after updating to 17.4 for these "patches" to 17.4.

Just curious if anyone else had the same reaction and confusion?

 

[bogdanw]

CVE-2024-23296 "Apple is aware of a report that this issue may have been exploited."
CVE-2024-23225 "Apple is aware of a report that this issue may have been exploited."
https://support.apple.com/HT214081

"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation." https://www.cisa.gov/news-events/al...s-two-known-exploited-vulnerabilities-catalog

In less formal words, iOS 17.3.1 devices were/are getting hacked.

 

[kpluck]

I have been reading that 17.4 is an "emergency update" on the web for a few days now.

"Emergency update" gets more clicks.

-kp

 

[Johnny Jackhammer]

CVE-2024-23296 "Apple is aware of a report that this issue may have been exploited."
CVE-2024-23225 "Apple is aware of a report that this issue may have been exploited."
https://support.apple.com/HT214081

"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation." https://www.cisa.gov/news-events/al...s-two-known-exploited-vulnerabilities-catalog

In less formal words, iOS 17.3.1 devices were/are getting hacked.

I get it. I wrote that it contained security updates but was confused why a regular planned update that went through beta testing is being called an “emergency release”

 

[za9ra22]

Any known exploits which have been reported in the wild for a platform the size of iPhone use is rightly considered 'emergency'. That 17.4 was a planned release simply means that the security fixes were rolled into it. These don't get prerelease testing in the same way anyway, because the developer/beta testing communities don't really have the necessary skills.

 

[bogdanw]

I get it. I wrote that it contained security updates but was confused why a regular planned update that went through beta testing is being called an “emergency release”

Apple has failed to implement Rapid Security Responses, they are dead now.
The fixes for the two security vulnerabilities are the emergency.
Without them, the new poop emoji in iOS 17.4 could have been released next month.

 

[Johnny Jackhammer]

Any known exploits which have been reported in the wild for a platform the size of iPhone use is rightly considered 'emergency'. That 17.4 was a planned release simply means that the security fixes were rolled into it. These don't get prerelease testing in the same way anyway, because the developer/beta testing communities don't really have the necessary skills.

That’s a developer perspective. Someone with a deeper understanding could parse that headline, but these articles are for users.

I would argue they are using click-bait tactics to deliver a story with genuine content and prioritizing fear over accuracy. The security updates are part of the minor release so it should be referred to that way to avoid confusion. They are not separate security “patches” to be installed.

 

[bousozoku]

It wouldn't be the first time that Apple sat on security vulnerabilities.

Apparently the Rapid Security Response has limits in what they can patch this way or the release was so close that they didn't feel the need to hurry the fixes before iOS 17.4.

Maybe, they need to get all those people working on AI to investigate checking the system for security flaws automatically.