Apple zero-day hole in MarketplaceKit tracks iOS users & the fix breaks alternative marketplace

On Monday, Apple backported the patch for CVE-2024-23296 to the iOS 16
branch and has fixed another hole Apple QA missed (yet again)  in
MarketplaceKit which enabled maliciously crafted webpages to distribute a
script that tracks iOS users on other webpages. (CVE-2024-27852)

Users running the iOS and iPadOS 17 branch can grab the latest update that
fixes many different vulnerabilities. Among them is CVE-2024-27852, a bug
in the MarketplaceKit that could allow sites to track iOS users.

Even worse than iOS, the update for macOS Sonoma carries fixes for 22
vulnerabilities that Apple QA (yet again) forgot to test for, where there
were also a handful of updates for macOS Ventura and Monterey that Apple
missed (yet again) in QA.

The fix for the RTKit zero-day (CVE-2024-23296) - which has been patched in
iOS and iPadOS 17.4, macOS Sonoma, watchOS, tvOS and visionOS in March 2024
after reports of in-the-wild exploitation - has been backported only to
Ventura, iOS 16.7.8 and iPadOS 16.7.8 (for now).

In March 2023, Apple has introduced a new URI scheme in iOS 17.4 to allow
EU users to install alternative (third-party) marketplace apps from
developers' websites. Unfortunately, faults in the scheme's implementation
allow it to be misused for cross-site tracking - as Talal Haj Bakry and
Tommy Mysk of Mysk Inc. discovered.

The newest iOS/iPadOS update for the most recent branch will fix this
vulnerability that Apple missed (yet again); but the researchers also
warned users in the EU not to delete their alternative marketplace apps,
because the update breaks alternative marketplace app re-installation.

"MarketplaceKit now generates a different client_id every time it is
called. Now there's no way for alternative marketplace developers to
identify users who have already purchased the marketplace app," they
explained.