Urgent Software Update: Apple Detects Zero-Day Exploit in iOS, iPadOS, and macOS

Apple rolled out an urgent software update for its iOS, iPadOS and macOS mobile operating systems warning that a zero-day exploit had been detected

On Monday, Apple rolled out an urgent software update for its iOS, iPadOS and macOS mobile operating systems warning that a zero-day exploit had been detected. The company said that, Apple is aware of reports that this issue may have been actively exploited. The vulnerability, CVE-2023-37450, affects the WebKit browser module running on iPhones and iPads running iOS 16.5.1(a) and macOS Ventura 13.4.1 software. This bug can be abused by irresponsible parties to trigger arbitrary code execution when processing web content.

A barebones advisory from Cupertino said that the security flaw is in WebKit, the browser engine used by Safari, Mail, AppStore, and many other apps on iOS and macOS-powered devices. The RSR patch has been introduced as a compact update designed to address security issues on the iPhone, iPad, and Mac platforms, and works to resolve security issues that arise between major software updates, according to this support document. In addition, some out-of-package security updates can also be used to address security vulnerabilities that are actively exploited in attacks.

If you turn off automatic updates or do not install Rapid Security Responses when they are offered, your device will be patched as part of a future software upgrade. Today's list of emergency patches includes:

macOS Ventura 13.4.1 (a)

iOS 16.5.1 (a)

iPadOS 16.5.1 (a)

Safari 16.5.2

The flaw was found in the WebKit browser engine developed by Apple, and allows attackers to obtain arbitrary code execution on targeted devices by tricking the target into opening web pages containing maliciously crafted content. Earlier this month, Apple addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were exploited to spread Triangulation spyware on iPhone via iMessage zero-click exploit.

Apple also fixed three other zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, which were first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and were most likely used to install mercenary spyware. So far in 2023, there have been 41 publicly documented cases of zero-day attacks with more than a fifth (22 percent) affecting software code on Apple devices.