Apple backports iOS zero-day patch, adds Bluetooth tracker alert
Apple has backported the patch for CVE-2024-23296 to the iOS 16 branch and has fixed a bug (CVE-2024-27852) in MarketplaceKit that may allow maliciously crafted webpages to distribute a script that tracks iOS users on other webpages.
The company has also added a new capability to iOS 17 that will alert users if an unknown Bluetooth tracker is “seen” moving with them.
Patched vulnerabilities
Apple released security updates for iOS and iPadOS, macOS, Safari, tvOS and watchOS on Monday.
The update for macOS Sonoma carries fixes for 22 vulnerabilities, the updates for macOS Ventura and Monterey just a handful.
The fix for the RTKit zero-day (CVE-2024-23296) – which has been patched in iOS and iPadOS 17.4, macOS Sonoma, watchOS, tvOS and visionOS in March 2024 after reports of in-the-wild exploitation – has been backported only to Ventura, iOS 16.7.8 and iPadOS 16.7.8 (for now).
Users running the iOS and iPadOS 17 branch can grab the latest update that fixes may different vulnerabilities. Among them is CVE-2024-27852, a bug in the MarketplaceKit that could allow sites to track iOS users.
In March 2023, Apple has introduced a new URI scheme in iOS 17.4 to allow EU users to install alternative (third-party) marketplace apps from developers’ websites. Unfortunately, faults in the scheme’s implementation allow it to be misused for cross-site tracking – as Talal Haj Bakry and Tommy Mysk of Mysk Inc. discovered.
The newest iOS/iPadOS update for the most recent branch will fix this vulnerability, but the researchers also warned users in the EU not to delete their alternative marketplace apps, because the update breaks alternative marketplace app re-installation.
“MarketplaceKit now generates a different client_id every time it is called. Now there’s no way for alternative marketplace developers to identify users who have already purchased the marketplace app,” they explained.
Warning users about Bluetooth tracking devices
Apple and Google announced that iPhones and Android 6.0+ devices will from now alert users to the presence of unknown Bluetooth tracking devices.
“If a user gets [an ‘(Item) Found Moving With You’ alert] on their iOS device, it means that someone else’s AirTag, Find My accessory, or other industry specification-compatible Bluetooth tracker is moving with them. It’s possible the tracker is attached to an item the user is borrowing, but if not, iPhone can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it,” Apple explained.
“Bluetooth tag manufacturers including Chipolo, eufy, Jio, Motorola, and Pebblebee have committed that future tags will be compatible.”