Apple recently launched a crucial round of Rapid Security Response (RSR) updates to mitigate a new zero-day flaw exploited in attacks and impacted fully-patched iPhones, Macs, and iPads.
The Intricacies of the Vulnerability
In advisories for iOS and macOS, Apple acknowledge the CVE-2023-37450 vulnerability, which was reported anonymously. The company stated, “Apple is aware of a report that this issue may have been actively exploited.”
The technology giant recommends these RSR updates for all users, warning of their importance for maintaining security on systems where the patches are being distributed.
Purpose of RSR Patches
RSR patches are compact updates created to address security concerns affecting iPhone, iPad, and Mac platforms. As a support document indicates, these patches are critical for resolving security challenges that surface between significant software updates.
Additionally, select out-of-band security updates might be used to tackle vulnerabilities actively exploited in attacks. In cases where automatic updates are disabled or if RSRs are not installed when proposed, these devices will still receive patches for upcoming software upgrades.
Details on the Emergency Patches
The list of emergency patches released recently includes:
- macOS Ventura 13.4.1 (a)
- iOS 16.5.1 (a)
- iPadOS 16.5.1 (a)
- Safari 16.5.2
The vulnerability came to light in the WebKit browser engine, a development of Apple. It allowed attackers to execute arbitrary codes on targeted devices. This was possible by luring the victims into opening web pages with malicious content embedded in them.
Apple responded to this security threat with enhanced checks to prevent exploitation attempts.
Overview of 2023’s Zero-Day Flaw
From the commencement of 2023, Apple patch a total of ten zero-day flaw. These were prone to hack iPhones, Macs, or iPads.
Earlier in the month, Apple dealt with three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439). These lead to distribute Triangulation spyware on iPhones using iMessage zero-click exploits.
In May, three more zero days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) were addressed. Amnesty International Security Lab and Google Threat Analysis Group researchers reported the first. It was likely to help in to install mercenary spyware.
April saw the patching of two other zero-day flaw – (CVE-2023-28206 and CVE-2023-28205), used as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware on devices belonging to high-risk targets.
In February, another WebKit zero-day (CVE-2023-23529) was patched, which was exploited to execute code on vulnerable iPhones, iPads, and Macs.
Temporary Halt in RSR Updates due to Zero-Day Flaw
Interestingly, Apple stopped pushing the RSR updates after services like Zoom, Facebook, and Instagram showed “Unsupported Browser” errors in Safari on patched devices. This was reportedly due to the extra “(a)” in the version that broke the platforms’ user-agent detection.
Apple did not provide an immediate comment when BleepingComputer reached out earlier today.