Apple

Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.

"Apple is aware of a report that this issue may have been actively exploited," the company says in iOS and macOS advisories when describing the CVE-2023-37450 vulnerability reported by an anonymous security researcher.

"This Rapid Security Response provides important security fixes and is recommended for all users," Apple warns on systems where the RSR patches are being delivered.

RSR patches have been introduced as compact updates designed to address security concerns on the iPhone, iPad, and Mac platforms, and they serve the purpose of resolving security issues that arise between major software updates, according to this support document.

Furthermore, some out-of-band security updates may also be employed to counter security vulnerabilities actively exploited in attacks.

If you turn off automatic updates or don't install Rapid Security Responses when offered, your device will be patched as part of future software upgrades.

Today's list of emergency patches includes:

  • macOS Ventura 13.4.1 (a)
  • iOS 16.5.1 (a)
  • iPadOS 16.5.1 (a)
  • Safari 16.5.2

The flaw has been found in the WebKit browser engine developed by Apple, and it allows attackers to gain arbitrary code execution on targeted devices by tricking the targets into opening web pages containing maliciously crafted content.

The company addressed this security weakness with improved checks to mitigate exploitation attempts.

macOS 13.4.1 (a) RSR patch
macOS 13.4.1 (a) RSR patch (BleepingComputer)

Tenth zero-day patched in 2023

Since the start of 2023, Apple has patched ten zero-day flaws exploited in the wild to hack iPhones, Macs, or iPads.

Earlier this month, Apple addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits.

It also fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, the first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and likely used to install mercenary spyware.

In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) used as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware on devices belonging to high-risk targets.

In February, Apple patched another WebKit zero-day (CVE-2023-23529) exploited to gain code execution on vulnerable iPhones, iPads, and Macs.


Update: Apple has stopped pushing the RSR updates. This reportedly happened after some services, including Zoom, Facebook, and Instagram, began showing "Unsupported Browser" errors in Safari on patched devices because the extra "(a)" in the version was breaking the platforms' user-agent detection.

An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Unsupported browser error
Unsupported browser error (FishyFish)

Related Articles:

Apple fixes first zero-day bug exploited in attacks this year

CISA warns of patched iPhone kernel bug now exploited in attacks

Apple fixes two new iOS zero-days exploited in attacks on iPhones

iPhone apps abuse iOS push notifications to collect user data

Cracked macOS apps drain wallets using scripts fetched from DNS records