On Monday, Apple rolled out an urgent software update for its iOS, iPadOS and macOS mobile operating systems warning that a zero-day exploit had been detected. The company said that, Apple is aware of reports that this issue may have been actively exploited. The vulnerability, CVE-2023-37450, affects the WebKit browser module running on iPhones and iPads running iOS 16.5.1(a) and macOS Ventura 13.4.1 software. This bug can be abused by irresponsible parties to trigger arbitrary code execution when processing web content.
A barebones advisory from Cupertino said that the security
flaw is in WebKit, the browser engine used by Safari, Mail, AppStore, and many
other apps on iOS and macOS-powered devices. The RSR patch has been introduced
as a compact update designed to address security issues on the iPhone, iPad,
and Mac platforms, and works to resolve security issues that arise between
major software updates, according to this support document. In addition, some out-of-package security
updates can also be used to address security vulnerabilities that are actively
exploited in attacks.
If you turn off automatic updates or do not install Rapid
Security Responses when they are offered, your device will be patched as part
of a future software upgrade. Today's list of emergency patches includes:
macOS Ventura 13.4.1 (a)
iOS 16.5.1 (a)
iPadOS 16.5.1 (a)
Safari 16.5.2
The flaw was found in the WebKit browser engine developed by
Apple, and allows attackers to obtain arbitrary code execution on targeted
devices by tricking the target into opening web pages containing maliciously
crafted content. Earlier this month, Apple addressed three zero-days
(CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were exploited to
spread Triangulation spyware on iPhone via iMessage zero-click exploit.
Apple also fixed three other zero-days (CVE-2023-32409,
CVE-2023-28204, and CVE-2023-32373) in May, which were first reported by
Amnesty International Security Lab and Google Threat Analysis Group researchers
and were most likely used to install mercenary spyware. So far in 2023, there
have been 41 publicly documented cases of zero-day attacks with more than a
fifth (22 percent) affecting software code on Apple devices.
0 Comments