Apple has released a new Rapid Security Response (RSR) update addressing a zero-day vulnerability allegedly affecting fully-patched Apple devices such as iPhones, Macs, and iPads.
"Apple is aware of a report that this issue may have been actively exploited," Apple wrote in its security advisory.
The flaw being addressed is tracked as CVE-2023-37450, and is described as an arbitrary code execution bug in the WebKit browser engine. It allows threat actors to run arbitrary code on target endpoints, by tricking victims into opening malicious websites.
Apple fixed the flaw with improved checks, which mitigate the attempts to exploit the bug, it was said.
The patch was initially released for these OS versions:
- macOS Ventura 13.4.1 (a)
- iOS 16.5.1 (a)
- iPadOS 16.5.1 (a)
- Safari 16.5.2
However, it was later reported that the company pulled some of the updates, due to a bug in Safari. In a thread on the Macrumors forum, one user asked: “Did Apple pull it? I updated my MacBook and iPhone upon release but had to wait until later tonight to apply it to my Mac Mini and iPad and it's not showing on either.” Another one soon replied, saying: “According to this link, they pulled the Ventura ones too. But these links still work.”
Some media are even reporting that Apple pulled all of the versions, although the news is yet to be confirmed.
While we don’t know who the threat actors using this flaw are, or who their targets might be, it would be best to apply the patch and not wait for further clarification. Those who have automatic updates and RSR turned off, will receive the patch together with future software upgrades.
Analysis: Why does it matter?
Arbitrary code execution is a high-severity flaw because it allows threat actors to cause significant damage on target endpoints and wider networks. The vulnerability refers to the threat actor being able to run malicious code on the attacked system, which might give them access to data, apps, and more. By gaining access to the system, threat actors can exfiltrate sensitive data, escalate privilege and thus gain even more system control, install malware, create backdoors, and more.
To protect against arbitrary code executions, companies are advised to regularly update their software and hardware, set up strong access controls, and regularly audit their systems.
In this particular case, CVE-2023-37450 was said to have been used in the wild. That means that threat actors managed to craft malicious code, that takes advantage of the flaw for any of the abovementioned goals, and then some. They are currently using that code against their targets, trying to compromise their systems and gain a foothold on their networks. That means that Apple users - namely iPhone, Mac, and iPad users, should be extra careful when clicking on links in emails and social media messages, as well as when downloading attachments. Email is the most popular attack vector these days, and the chances of a piece of malware being distributed this way are quite high.
So far this year, Apple patched ten zero-day flaws affecting its iPhones, Macs, and iPads, all of which were abused in the wild. That includes CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439, which were used to install spyware on iPhones through the iMessage app. The spyware allowed threat actors to triangulate the position of the target endpoint. Furthermore, Apple fixed CVE-2023-28206 and CVE-2023-28205, two flaws that were being used to install spyware on devices belonging to “high-risk” targets.
What have others said about it?
On Apple Insider, one user complained about the patch breaking their device:
“Just applied the Rapid Security Response. It broke Facebook on Safari. Before the update loading Facebook in Safari for MacOS worked fine. After the update loading Facebook in Safari for MacOS brings up a warning: "Unsupported Browser You're using a browser that isn't supported by Facebook, so we've redirected you to a simpler version to give you the best experience." And, yes. It's a squished-down version of Facebook.”
Another user chimed in to speculate that the threat actors were actually leveraging the flaw through Facebook. They make a valid point, given that the initial reports stated arbitrary code execution was achieved when victims processed “specially crafted web content.”
“I suspect they're using Facebook to exploit the vulnerability hence the "downgrade" of FB. The FB on Safari is atrocious though,” they said.
Tweeting about the flaw, cybersecurity firm SlowMist urged its readers to apply the patch immediately: “Given the high-risk nature associated with this vulnerability, we highly recommend updating your devices ASAP!,” the tweet reads.
Go deeper
If you want to learn more, make sure to check out our in-depth guide on the best antivirus programs, as well as best malware removal software. Further reading can include best firewalls, and best endpoint protection services today.