AppleがiPhoneやiPadなど向けiOS 16.7.9とiPadOS 16.7.9をリリース!

Appleは29日(現地時間)、iPhoneおよびiPod touch向けプラットフォーム「iOS」とiPad向けプラットフォーム「iPadOS」において前バージョン「iOS 16」や「iPadOS 16」の最新版「iOS 16.7.9(20H330)」および「iPadOS 16.7.9(20H330)」を提供開始したとお知らせしています。

対象機種はiOS 16やiPadOS 16の対応機種でiPhone 8以降およびiPhone SE(第2世代)以降、iPad(第5世代以降)、iPad Air(第3世代以降)、iPad mini(第5世代以降)、iPad Pro(全モデル)のうちの次の最新メジャーバージョン「iOS 17」や「iPadOS 17」に対応していない機種となり、具体的にはiPhone XやiPhone 8、iPhone 8 Plus、iPad(第5世代)、12.9インチiPad Pro(第1世代)、9.7インチiPad Pro向けとなり、これらの製品にて無料で更新可能となっています。

変更点は重要なセキュリティーアップデートが含まれているとしており、CVEに登録されている脆弱性としては「CVE-2024-40799」や「CVE-2024-27873」、「CVE-2023-6277」、「CVE-2023-52356」、「CVE-2024-40806」、「CVE-2024-40784」、「CVE-2024-40788」などの26個となっており、同社ではいくつかの脆弱性が悪用された可能性があるという報告を認識していると説明しています。

その他、すでに紹介しているように同時にiOSおよびiPadOSは最新バージョン「iOS 17.6」および「iPadOS 17.6」がリリースされているほか、より古いiPhoneやiPad向けに「iOS 15.8.3」および「iPadOS 15.8.3」が提供され、さらにスマートウォッチ「Apple Watch」向け「watchOS 10.6」、スマートテレビ「Apple TV」向け「tvOS 17.6」、ゴーグル型ディスプレイ「Apple Vision Pro」向け「visionOS 1.3」、パソコン「Mac」向け「macOS Sonoma 14.6」および「macOS Ventura 13.6.8」、「macOS Monterey 12.7.6」なども配信開始しています。


Appleでは2021年に提供開始したiOS 15およびiPadOS 15から一定期間は次の最新バージョンに更新せずに既存のバージョンに留まる機能を提供しており、今年も最新のiOS 17やiPadOS 17が配信開始されましたが、引き続いてしばらくiOS 16やiPadOS 16で使う場合を対象に脆弱性や不具合を修正するソフトウェア更新を提供しており、今回、iOS 16・iPadOS 16の最新バージョンとなるiOS 16.7.9およびiPadOS 16.7.9を提供開始しました。

更新は従来通り各製品本体のみでOTA(On-The-Air)によりダウンロードで行え、方法としては、「設定」→「一般」→「ソフトウェア・アップデート」から行います。なお、単体でアップデートする場合のダウンロードサイズは手持ちのiPhone XではiOS 16.7.8からな250.4MBとなっています。その他、更新は従来通りにiTunesをインストールしたWindowsおよびMacとUSB-Lightningケーブルで接続しても実施できます。Appleが案内しているアップデートの内容は以下の通り。

iOS 16.7.9
このアップデートには重要なセキュリティ修正が含まれ、すべてのユーザに推奨されます。

Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/HT201222

iPadOS 16.7.9
このアップデートには重要なセキュリティ修正が含まれ、すべてのユーザに推奨されます。

Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/ja-jp/HT201222

iOS 16.7.9 and iPadOS 16.7.9
Released July 29, 2024

- CoreGraphics
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2024-40799: D4m0n

- CoreMedia
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing a maliciously crafted video file may lead to unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2024-27873: Amir Bazine and Karsten K�nig of CrowdStrike Counter Adversary Operations

- ImageIO
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing an image may lead to a denial-of-service
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-6277
CVE-2023-52356

- ImageIO
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2024-40806: Yisumi

- ImageIO
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: An integer overflow was addressed with improved input validation.
CVE-2024-40784: Junsung Lee working with Trend Micro Zero Day Initiative and Gandalf4a

- Kernel
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: A local attacker may be able to cause unexpected system shutdown
Description: A type confusion issue was addressed with improved memory handling.
CVE-2024-40788: Minghao Lin and Jiaxun Zhu from Zhejiang University

- NetworkExtension
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Private browsing may leak some browsing history
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2024-40796: Adam M.

Photos Storage
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Photos in the Hidden Photos Album may be viewed without authentication
Description: An authentication issue was addressed with improved state management.
CVE-2024-40778: Mateen Alinaghi

- Security
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An app may be able to read Safari's browsing history
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2024-40798: Adam M.

- Shortcuts
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
Description: A logic issue was addressed with improved checks.
CVE-2024-40833: an anonymous researcher
CVE-2024-40835: an anonymous researcher
CVE-2024-40836: an anonymous researcher

- Shortcuts
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-40793: Kirin (@Pwnrin)

- Shortcuts
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: A shortcut may be able to bypass Internet permission requirements
Description: A logic issue was addressed with improved checks.
CVE-2024-40809: an anonymous researcher
CVE-2024-40812: an anonymous researcher

- Siri
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An attacker with physical access may be able to use Siri to access sensitive user data
Description: This issue was addressed by restricting options offered on a locked device.
CVE-2024-40818: Bistrit Dahal and Srijan Poudel

- Siri
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An attacker may be able to view sensitive user information
Description: This issue was addressed through improved state management.
CVE-2024-40786: Bistrit Dahal

- Siri
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An attacker with physical access to a device may be able to access contacts from the lock screen
Description: This issue was addressed by restricting options offered on a locked device.
CVE-2024-40822: Srijan Poudel

- VoiceOver
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: An attacker may be able to view restricted content from the lock screen
Description: The issue was addressed with improved checks.
CVE-2024-40829: Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College of Technology Bhopal India

- WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2024-40789: Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with Trend Micro Zero Day Initiative

- WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 273176 CVE-2024-40776: Huang Xilin of Ant Group Light-Year Security Lab
WebKit Bugzilla: 268770 CVE-2024-40782: Maksymilian Motyl

- WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An out-of-bounds read was addressed with improved bounds checking.
WebKit Bugzilla: 275431 CVE-2024-40779: Huang Xilin of Ant Group Light-Year Security Lab
WebKit Bugzilla: 275273 CVE-2024-40780: Huang Xilin of Ant Group Light-Year Security Lab

- WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: This issue was addressed with improved checks.
WebKit Bugzilla: 273805 CVE-2024-40785: Johan Carlsson (joaxcar)


記事執筆:memn0ck


■関連リンク
・エスマックス(S-MAX)
・エスマックス(S-MAX) smaxjp on Twitter
・S-MAX - Facebookページ
・iOS 16 関連記事一覧 - S-MAX
・iPadOS 16 関連記事一覧 - S-MAX
・iOS 16 のアップデートについて - Apple サポート (日本)
・iPadOS 16 のアップデートについて - Apple サポート (日本)
・iOS 16.7.9 および iPadOS 16.7.9 のセキュリティコンテンツについて - Apple サポート (日本)
・Apple セキュリティアップデート - Apple サポート