Source: www.govinfosecurity.com – Author: 1
Governance & Risk Management
,
Patch Management
,
Vulnerability Assessment & Penetration Testing (VA/PT)
The Latest Rapid Security Response Might Prevent Websites From Displaying Properly
Mihir Bagwe (MihirBagwe) •
July 11, 2023
Apple has asked users to remove the latest emergency software updates that were released on Monday to address a zero-day vulnerability being actively exploited in the wild.
See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security
The tech giant confirmed Tuesday that the latest fix might prevent some websites from displaying properly on user devices. Patches addressing the issue are expected to be available soon.
A spokesperson for Apple did not explain how the web-surfing issue happened, but users on the MacRumors forum said it appears the updates changed the Safari user agent, which led to the breaking of certain websites including Facebook, Instagram and Zoom.
Apple on Monday pushed out its second-ever Rapid Security Response to address a zero-day targeting its browser rendering engine in iPhone, iPad and MacOS products. RSR is separate from Apple’s regular security updates. It is an out-of-band release that provides hot fixes for critical security issues of iPhone, iPad and Mac devices being exploited in the wild.
The vulnerability, tracked as CVE-2023-37450, is a WebKit bug that allows attackers to execute arbitrary code on targeted devices when victims open maliciously crafted web content. The tech giant said it fixed the issue with improved checks for malware.
Apple revealed limited details of the bug – as was the case with its first RSR release – but said it is aware of a report that this issue may have been actively exploited.
Apple introduced Rapid Security Responses in May with fixes for three zero-days (see: Apple Fixes 3 Zero-Days Exploited in the Wild). “They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack or other critical system libraries,” the company said.
The discovery of the latest vulnerability is attributed to an anonymous security researcher who found the flaw affecting the iOS; iPadOS; macOS Big Sur, Monterey and Ventura; and the Safari browser. The zero-day has been fixed in the following versions:
- macOS Ventura 13.4.1 (a)
- iOS and iPadOS 16.5.1 (a)
- Safari 16.5.2
“These latest patches should be considered critical. We’re assuming that they’re associated with a live spyware or malware attack that’s happening right now, given the bug that’s fixed,” wrote Sophos security proselytizer Paul Ducklin on Tuesday. “In jargon-free language, ‘actively exploited’ means ‘this is a zero-day’ or, more bluntly, ‘the crooks found this one first,’ which in turn means: Do not delay, simply do it today.”
Apple has fixed 10 zero-days since the beginning of 2023. The most notable one was the multiple zero-days actively exploited since 2019 to deploy zero-click iMessage malware that Kaspersky dubbed TriangleDB (see: Apple Fixes Multiple 4-Year-Old Zero-Days).
Original Post URL: https://www.govinfosecurity.com/web-browsing-glitch-prompts-apple-to-withdraw-zero-day-fix-a-22512
Category & Tags: –
