An Apple zero-day vulnerability that allowed threat actors to exploit and disrupt website browsing has been discovered by an anonymous cybersecurity researcher. The vulnerability, identified as CVE-2023-37450, prompted Apple to publish a Rapid Security Responses (RSR) advisory for iOS and macOS as a quick response to the threat.
Under the newly launched Rapid Security Response (RSR) program, Apple plans to release a second patch to fix this critical zero-day flaw across its various products, including iOS for iPhones, iPadOS for iPads, macOS Ventura for Macs, and Safari for macOS Big Sur and Monterey. The goal of the RSR program is to ensure timely delivery of zero-day fixes that prioritize user protection.
The specific reason behind Apple’s silence on the matter remains undisclosed. However, glitches in the Safari browser emerged after failures in user-agent detection for platforms such as Zoom, Facebook, and Instagram, which resulted in issues with website rendering. Apple’s Rapid Security Responses are designed to swiftly provide zero-day fixes for iPhones and Macs, prioritizing critical patches over regular OS updates to enhance user security.
To address the vulnerabilities, RSR updates will modify user agents on iOS devices by adding the string “(a)” to the new updates. For example, the updates will be labeled as iOS 16.5.1 (a), iPadOS 16.5.1 (a), and macOS Ventura 13.4.1 (a). However, some users encountered access errors on several websites after installing the patch for CVE-2023-37450, leading to complaints. Apple has acknowledged that the Rapid Security Responses caused certain website display issues and plans to rectify the problem in upcoming updates labeled as iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b).
For users who have already installed the potentially buggy security updates on their Apple devices, it is recommended to remove them to avoid any browsing issues. The removal process can be done by following a few simple steps. On iPhones and iPads, users need to open the Settings app, scroll down and tap on “About,” select the “iOS Version” option, locate and tap on “Remove Security Response,” and confirm the removal action. For Mac users, they should click on the Apple logo or menu, select “About This Mac,” click on “More Information,” click on the Info (i) button next to the macOS version number, click on “Remove,” confirm the action, and restart the Mac.
The WebKit browser engine developed by Apple contains this zero-day vulnerability (CVE-2023-37450), which allows arbitrary code execution through manipulated content on targeted web pages. This year, Apple has fixed a total of ten zero-day vulnerabilities across its product line.
Despite the efforts of Apple’s Rapid Security Responses, there is a risk of user resistance if issues persist, potentially undermining the effectiveness of swift patch deployment. It is crucial for Apple to address these vulnerabilities promptly to maintain user trust and security in their products and services.