CVE-2023-37450: 0-day bug affecting iPhones, Macs, and iPads
Unsettling news emerged from Apple’s Cupertino headquarters, an anonymous security researcher reported a concerning zero-day vulnerability with the capability to exploit fully-patched iPhones, Macs, and iPads. This revelation has prompted the tech giant to issue a series of Rapid Security Response (RSR) updates, swiftly addressing the threat posed to its user base.
The vulnerability, identified as CVE-2023-37450, sent a ripple of concern through the digital world, further proving the evolving sophistication of cyber threats. No device, no matter how secure, is immune to the increasing finesse of cybercriminals.
At the heart of this storm is Apple’s own WebKit browser engine. This zero-day exploit allows ill-intentioned hackers to execute arbitrary code on targeted devices. By luring unsuspecting users to web pages laced with malicious content, attackers can gain control, potentially leading to a cascade of breaches.
Apple has acknowledged the existence and active exploitation of the issue. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote.
To counter this exploit, Apple has rolled out its Rapid Security Response, a novel approach towards swiftly addressing such security threats. An RSR is an intermediate line of defense, providing crucial security improvements between regular software updates. It could include enhancements to the Safari web browser, WebKit framework stack, or other critical system libraries.
Importantly, these responses also serve as a quickfire solution to mitigate security vulnerabilities reported to exist “in the wild,” effectively putting a halt to their active exploitation. However, they are provided only for the latest versions of iOS, iPadOS, and macOS, beginning with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1.
In response to the present CVE-2023-37450 zero-day exploit, Apple has released the following emergency patches:
1. macOS Ventura 13.4.1 (a)
2. iOS 16.5.1 (a)
3. iPadOS 16.5.1 (a)
4. Safari 16.5.2
For users who may have disabled automatic updates or delayed installing the RSR when prompted, the security patch will be included in future software upgrades.
Update 1:
Apple has pulled a software update after reports suggesting that the implementation of certain patches was causing select websites, such as Facebook, Instagram, and Zoom, to encounter an “Unsupported Browser” error on Safari.
Update 2:
On July 13th, Apple started pushing iOS 16.5.1 (c), iPadOS 16.5.1 (c), and macOS 13.4.1 (c) Security Response updates that address the web browsing issues.
