December 2 update below. This post was first published on November 30, 2023.
The iOS 17.1.1 iPhone update landed on Tuesday, November 7, 2023. Just three weeks later, Apple has delivered its next release, iOS 17.1.2, warning all users to update now. Here’s what’s in it and how you can get it straight away.
Apple releases iOS 17.1.2.
David Phelan
Which iPhones Can Run iOS 17.1.2?
Like all the releases since the arrival of iOS 17 back in September, this new update is compatible with all iPhones released in 2018 or after. That means iPhone Xs, iPhone Xs Max and iPhone Xr from 2018, then iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, plus all the iPhone 12, iPhone 13, iPhone 14 and iPhone 15 variants. It also includes iPhone SE second- and third-generation models.
How To Get It
On your iPhone, open the Settings app, choose General, then Software Update. Here, you’ll see sections on Automatic Updates, and Beta Updates. Whether you have automatic updates on or off, you can choose to download the new software now. Pick Download and Install, and your iPhone will be ready in no time.
What’s In The Release
This update has been something of a surprise. We were all waiting for iOS 17.2, which is expected in December and includes a number of new features as well as bug fixes.
But last week there were rumors of an in-between release, and that’s what this is. It’s not a Rapid Security Response, the kind that Apple pioneered earlier this year and which is designed to ensure that the most urgent security fixes can be deployed as soon as possible, without waiting for the next regular update. Those are exclusively for security fixes, that is, they can’t include new features, for instance. RSRs are easily spotted by the bracketed letter at the end of the version number, and they can’t be added to whole-number updates. In other words, while you could have iOS 17.1.1 (a), you couldn’t have iOS 17 (a). Anyway, this isn’t an RSR.
However, there are no new features. Apple merely says, “This update provides important security fixes and is recommended for all users.”
It looks like we need to wait for iOS 17.2, expected in December, for shiny new features, including the much-anticipated Journal app, changes to the Apple TV app and ways to change notification sounds.
Apple has now published its security notes, and it’s now clear that’s why this update has landed when it did. When you see the words “this issue may have been exploited,” as appear in the notes, it’s an indication that the update is urgent and deals with important stuff. In this case, both fixes are for WebKit, Apple’s web browser engine, the first where sensitive information could have been disclosed, while the other may have been exploited for arbitrary code execution.
Full notes below. I’ll be looking into how successful this release has been or whether it’s caused problems, and advising whether you should update or not. So, please check here for full details.
December 2 update. As soon as Apple revealed the details of the update and the big security implications, it became clear why iOS 17.1.2 was released as soon as it was. Zero-day vulnerabilities, as they are called, are serious, as they refer to a vulnerability that was previously unknown to the developer, giving zero days of awareness and defense against it. As Bleeping Computer has pointed out, there have been a bunch of them this year. The ones in this update are the nineteenth and twentieth zero-day vulnerabilities that Apple has fixe in 2023.
As the Daily Mail reported, attackers are out there. Michael Covington, VP of Strategy at Jamf, explained, “These latest OS updates show that attackers continue to focus on exploiting the framework that downloads and presents web-based content.” Covington went on to say not only that they could lead to data leakage and arbitrary code execution, but that they “appear to be tied to targeted attacks that are common against high-risk users.”
There was good news, too in the comments, when Covington added, “Though these patches validate that Apple devices are not immune to cyber threats, the patching process is helping to reduce the attack surface Now that the patches are issued, it is up to users, and organisations that utilise Apple devices for work, to update their devices and monitor for compliance to ensure that all critical devices are no longer vulnerable as soon as possible.”
The arrival of iOS 17.1.2 means that these problems should be fixed, and we can await the next iOS release. Unless there’s a hiccup, that will be iOS 17.2 and should land this side of Christmas.
Apple’s security notes follow.
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input validation.
WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google’s Threat Analysis Group
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with improved locking.
WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google’s Threat Analysis Group
Follow me on Twitter.
