Apple has issued an update for a vulnerability which it says may have been actively exploited.
In the security content for Safari 16.5.2 we can learn that the vulnerability was found in the WebKit component which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. On iOS and iPadOS even third-party browsers have to use WebKit under the hood. So, it’s no surprise that this update is available for a range of operating systems (OSs).
macOS Big Sur and macOS Monterey
iOS 16.5.1 and iPadOS 16.5.1
macOS Ventura 13.4.1
For most users, no action is required. Apple devices are configured to implement Rapid Security Responses as the default setting automatically. If needed, users will receive a prompt to restart their device.
Rapid Security Response (RSR) is a new type of software patch delivered between Apple's regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They're meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates "may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist 'in the wild'." RSR was first introduced in May of 2023.
To check whether you have RSR enabled, select System Settings. In the Settings window, click on (General and Software) Update, then Automatic Updates, and make sure the toggle is turned on for Install Security Responses and system files.
It may be important to note that the first attempt to patch this vulnerability, offered as iOS 16.5.1 (a), reportedly broke some sites. This first attempt was pulled hours after release. Apple then followed up with this latest update.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this updates is:
CVE-2023-37450: Processing web content may lead to arbitrary code execution. The issue was addressed with improved checks.
While Apple doesn't disclose, discuss, or confirm security issues until a patch is made available and users have had the opportunity to apply them, what we can conclude from that description is that the bug could be used for drive-by downloads as it might allow an attacker to execute arbitrary code by tricking users into opening web pages containing specially crafted content.
Update July 17, 2023
This weekend I received a notification about RSR iOS 16.5.1 (c). The release of iOS 16.5.1 (c) comes after Apple issued iOS 16.5.1 (a) earlier this week, then pulled it again after reports that the update broke websites such as Facebook. The iPhone maker said it would fix the issue before re-releasing the security-only iPhone update, which is now here as iOS 16.5.1 (c).
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.