Apple pushes out emergency fix for actively exploited zero-day (CVE-2023-37450)

Apple has patched an actively exploited zero-day vulnerability (CVE-2023-37450) by releasing Rapid Security Response updates for iPhones, iPads and Macs running the latest versions of its operating systems.

Rapid Security Response update iOS 16.5.1 (a) (Source: Help Net Security)

The vulnerability has also been fixed with a regular security update in Safari (16.5.2), so users running macOS Big Sur and macOS Monterey can also implement the fix.

About CVE-2023-37450

As per usual, Apple doesn’t say much about the fixed vulnerability.

All we know is that CVE-2023-37450:

• Is found in WebKit, the browser engine used by Apple’s Safari web browser and all other web browsers on iOS and iPadOS
• It could be triggered by a vulnerable browser processing specially crafted (malicious) web content
• It may lead to arbitrary code execution
• It was reported by an anonymous security researcher.

Smaller security updates

In May 2023, Apple started delivering Rapid Security Response updates to owners of Apple smartphones, tablets and computers running the latest versions of iOS, iPadOS, and macOS.

“They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that may have been exploited or reported to exist,” Apple has explained.

When introduced, the Rapid Security Response feature was enabled by default, but users can disable it. Also, unlike the regular security updates, these rapid patches can be uninstalled by the user (if they create problems on the device).

If you have the option to receive RSRs, you should take advantage of it. If you haven’t opted for their automatic installation, you should trigger the update process as soon as possible, since CVE-2023-37450 is probably being exploited to deliver malware.

“Speed matters in business, especially when it comes to securing its digital assets. With its Rapid Security Response updates, Apple has set the industry benchmark for not only addressing security vulnerabilities swiftly, but also rolling out these updates across millions of devices. Further, enabling automatic updates ensures that, for most customers, these security updates are applied without any action from the end user,” says Debrup Ghosh, Senior Product Manager at Synopsys Software Integrity Group.

“Although development and security teams, whether at Apple or an emerging software startup, strive to eliminate as many vulnerabilities as possible, they can often still be found in software released to production. However, what really matters is how quickly an organization can move to fix and remediate these vulnerabilities to prevent or mitigate active exploits, and Apple’s Rapid Security Updates seem to be an effective and efficient method towards achieving that goal.”

UPDATE (July 11, 2023, 11:35 a.m. ET):

If you’re wondering why you haven’t received the RSRs or why you cannot trigger their installation, it’s because Apple has pulled them. MacRumors says that the underlying reason is because they “broke” certain popular websites (i.e., users could not use them).

Luckily, users who got the fixes can temporarily downgrade their devices.

UPDATE (July 11, 2023, 13:40 p.m. ET):

Apple has updated the notes for the two RSRs, confirming that it is aware of an issue where they “might prevent some websites from displaying properly.” The company says that new fixes “will be available soon to address this issue.”

UPDATE (July 13, 2023, 04:30 a.m. ET):

Apple has released RSRs iOS 16.5.1 (c), iPadOS 16.5.1 (c) and macOS Ventura 13.4.1 (c), which include the security content of the previous RSRs and fix the issue that prevented some websites from displaying properly.