Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Web-Browsing Glitch Prompts Apple to Withdraw Zero-Day Fix

The Latest Rapid Security Response Might Prevent Websites From Displaying Properly
Web-Browsing Glitch Prompts Apple to Withdraw Zero-Day Fix
Image: Apple

Apple has asked users to remove the latest emergency software updates that were released on Monday to address a zero-day vulnerability being actively exploited in the wild.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The tech giant confirmed Tuesday that the latest fix might prevent some websites from displaying properly on user devices. Patches addressing the issue are expected to be available soon.

Update: Apple on Wednesday reintroduced the zero-day fixes with Rapid Security Responses iOS 16.5.1 (c) and iPadOS 16.5.1 (c) to address an issue that prevented some websites from being properly displayed. The bugs were previously fixed in Rapid Security Responses iOS 16.5.1 (a) and iPadOS 16.5.1 (a).

A spokesperson for Apple did not explain how the web-surfing issue happened, but users on the MacRumors forum said it appears the updates changed the Safari user agent, which led to the breaking of certain websites including Facebook, Instagram and Zoom.

Apple on Monday pushed out its second-ever Rapid Security Response to address a zero-day targeting its browser rendering engine in iPhone, iPad and MacOS products. RSR is separate from Apple's regular security updates. It is an out-of-band release that provides hot fixes for critical security issues of iPhone, iPad and Mac devices being exploited in the wild.

The vulnerability, tracked as CVE-2023-37450, is a WebKit bug that allows attackers to execute arbitrary code on targeted devices when victims open maliciously crafted web content. The tech giant said it fixed the issue with improved checks for malware.

Apple revealed limited details of the bug - as was the case with its first RSR release - but said it is aware of a report that this issue may have been actively exploited.

Apple introduced Rapid Security Responses in May with fixes for three zero-days (see: Apple Fixes 3 Zero-Days Exploited in the Wild). "They deliver important security improvements between software updates - for example, improvements to the Safari web browser, the WebKit framework stack or other critical system libraries," the company said.

The discovery of the latest vulnerability is attributed to an anonymous security researcher who found the flaw affecting the iOS; iPadOS; macOS Big Sur, Monterey and Ventura; and the Safari browser. The zero-day has been fixed in the following versions:

"These latest patches should be considered critical. We're assuming that they're associated with a live spyware or malware attack that's happening right now, given the bug that's fixed," wrote Sophos security proselytizer Paul Ducklin on Tuesday. "In jargon-free language, 'actively exploited' means 'this is a zero-day' or, more bluntly, 'the crooks found this one first,' which in turn means: Do not delay, simply do it today."

Apple has fixed 10 zero-days since the beginning of 2023. The most notable one was the multiple zero-days actively exploited since 2019 to deploy zero-click iMessage malware that Kaspersky dubbed TriangleDB (see: Apple Fixes Multiple 4-Year-Old Zero-Days).

Update July 13, 10:10 UTC: The story was updated to include Apple's reintroduction of the Rapid Security Responses.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.