Apple, Who Prides itself on its Privacy & Security, Suffers its 10th Zero-Day Breach in 2023.
On July 10, 2023, BleepingComputer reported that Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.
“Apple is aware of a report that this issue may have been actively exploited,” the company says in iOS and macOS advisories when describing the CVE-2023-37450 vulnerability reported by an anonymous security researcher.
“This Rapid Security Response provides important security fixes and is recommended for all users,” Apple warns on systems where the RSR patches are being delivered.
Since the start of 2023, Apple has had to patch ten zero-day flaws
that were exploited in the wild to hack iPhones, Macs, or iPads.
RSR patches have been introduced as compact updates designed to address security concerns on the iPhone, iPad, and Mac platforms, and they serve the purpose of resolving security issues that arise between major software updates, according to this support document.
Furthermore, some out-of-band security updates may also be employed to counter security vulnerabilities actively exploited in attacks.
If you turn off automatic updates or don’t install Rapid Security Responses when offered, your device will be patched as part of future software upgrades.
The list of emergency patches includes:
macOS Ventura 13.4.1 (a)
iOS 16.5.1 (a)
iPadOS 16.5.1 (a)
The flaw has been found in the WebKit browser engine developed by Apple, and it allows attackers to gain arbitrary code execution on targeted devices by tricking the targets into opening web pages containing maliciously crafted content.
The company addressed this security weakness with improved checks to mitigate exploitation attempts.
macOS 13.4.1 (a) RSR patch
macOS 13.4.1 (a) RSR patch
Tenth zero-day patched in 2023
Earlier this month, Apple addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits.
It also fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, the first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and likely used to install mercenary spyware.
In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) used as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware on devices belonging to high-risk targets.
In February, Apple patched another WebKit zero-day (CVE-2023-23529) exploited to gain code execution on vulnerable iPhones, iPads, and Macs.
Update: Apple has stopped pushing the RSR updates. This reportedly happened after some services, including Zoom, Facebook, and Instagram, began showing “Unsupported Browser” errors in Safari on patched devices because the extra “(a)” in the version was breaking the platforms’ user-agent detection.
An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer.