Additional notes about various security patches were added to iOS 16.3 shortly after being removed from Apple’s signed operating systems — an unusual move for the company.
iOS 16.3 no longer signed by Apple
Apple tends to publish security patch notes about each operating system update when significant patches are made. These can range from problems with how apps work to critical system changes to prevent inadvertent data loss or theft.
A Twitter user named @aaronp613, who is a customer experience lead at a jailbreaking website called Havoc Repo, pointed out the new security note changes. He discovered new CVEs were added to a range of update notes on February 20th.
The following patch notes were updated on the Apple Security website:
- iOS 16.3 and iPadOS 16.3
- iOS 16.3.1 and iPadOS 16.3.1
- macOS 13.0
- macOS 11.7.1
- macOS 12.6.1
- macOS 13.2
- macOS 13.2.1
The common patch between many of these updated notes was one for CVE-2023-23524, shared by David Benjamin of Google Chrome. It enabled a denial of service from processing a maliciously crafted certificate, and it was addressed with improved input validation.
Apple also published patch notes for tvOS 16.3.2 and watchOS 9.3.1 for the first time. Patch notes for iOS 16.3 and iPadOS 16.3 included new notes for two Foundation patches (CVE-2023-23530, CVE-2023-23431) and one for Crash Reporter (CVE-2023-23520).
Apple does routinely add patch notes to previously released security updates on its website. What is odd this time is the timing.
As Aaron pointed out, Apple just removed iOS 16.3 from its signed updates, meaning users can’t downgrade from iOS 16.3.1 anymore. Shortly after this unsigning, Apple then added the patch notes to its website.
This may just be a coincidence, as Apple routinely stops signing updates shortly after a new version comes out. These notes may have been withheld to ensure the patch actually worked before making iOS 16.3.1 the only signed version.
With the release of iOS 16.3.1 and the other recent operating system updates, users don’t need to worry about these security issues. They’ve been patched and reviewed in the wild, so users should feel safe updating to the latest operating systems to ensure protection from these known security issues.