Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.
"Apple is aware of a report that this issue may have been actively exploited," the company says in iOS and macOS advisories when describing the CVE-2023-37450 vulnerability reported by an anonymous security researcher.
"This Rapid Security Response provides important security fixes and is recommended for all users," Apple warns on systems where the RSR patches are being delivered.
RSR patches have been introduced as compact updates designed to address security concerns on the iPhone, iPad, and Mac platforms, and they serve the purpose of resolving security issues that arise between major software updates, according to this support document.
Furthermore, some out-of-band security updates may also be employed to counter security vulnerabilities actively exploited in attacks.
If you turn off automatic updates or don't install Rapid Security Responses when offered, your device will be patched as part of future software upgrades.
Today's list of emergency patches includes:
- macOS Ventura 13.4.1 (a)
- iOS 16.5.1 (a)
- iPadOS 16.5.1 (a)
- Safari 16.5.2
The flaw has been found in the WebKit browser engine developed by Apple, and it allows attackers to gain arbitrary code execution on targeted devices by tricking the targets into opening web pages containing maliciously crafted content.
The company addressed this security weakness with improved checks to mitigate exploitation attempts.
Tenth zero-day patched in 2023
Since the start of 2023, Apple has patched ten zero-day flaws exploited in the wild to hack iPhones, Macs, or iPads.
Earlier this month, Apple addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits.
It also fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, the first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and likely used to install mercenary spyware.
In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) used as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware on devices belonging to high-risk targets.
In February, Apple patched another WebKit zero-day (CVE-2023-23529) exploited to gain code execution on vulnerable iPhones, iPads, and Macs.
Update: Apple has stopped pushing the RSR updates. This reportedly happened after some services, including Zoom, Facebook, and Instagram, began showing "Unsupported Browser" errors in Safari on patched devices because the extra "(a)" in the version was breaking the platforms' user-agent detection.
An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Comments
nauip - 7 months ago
"your device be patched as part of future software upgrades."
I think somebody forgot a word there. Or we're celebrating write like a pirate day.
serghei - 7 months ago
Definitely a word there, fixed!
nauip - 7 months ago
Wow - it's already fixed!
AutomaticJack - 7 months ago
"reported by an anonymous security researcher" - maybe another 0day needed burning in order to prevent it from falling into the wrong hands? #cyberwar
IhateMicroSoft - 7 months ago
The update has been pulled due to a bug in Safari -- Source is on macrumors.