Apple pushes Rapid Response patch to fix WebKit zero-day

Apple has deployed a patch under its new Rapid Security Response (RSR) update programme for the second time, addressing a potentially dangerous zero-day in iOS for iPhone, iPadOS for iPad, macOS Ventura for Mac, and Safari for macOS Big Sur and Monterey.

However, in the intervening hours, users who have downloaded and applied the relatively small patch have reported that it appears to break the Safari web browser’s ability to support certain websites, including Meta’s Facebook and Instagram platforms. This has caused Apple to pause its distribution temporarily.

Posters on the popular MacRumors forum joked that breaking Facebook was in fact an “excellent” security fix, and enhanced user privacy into the bargain.

Tracked as CVE-2023-37450, which is being credited to an anonymous security researcher, the zero-day in question affects WebKit, which is the open source browser engine that underpins the Safari web browser, as well as many other Apple properties.

According to Apple, the vulnerability leads to a situation in which processing malicious web content could enable an unauthorised actor to achieve arbitrary code execution capabilities on the target device. It is addressed with improved checks.

Cupertino said it was “aware of a report that this issue may have been actively exploited” in the wild by an undisclosed party.

The update takes iOS and iPadOS to version 16.5.1 (a), macOS Ventura to version 13.4.1 (a), and Safari to version 16.5.2.

Apple introduced RSR updates as a means to deliver important security improvements in between larger, scheduled software updates. They are only ever delivered for the latest versions of Apple’s operating systems, and are generally taken automatically, although this option can be disabled if not wanted.

Apple first used RSR in anger in May 2023, when it dropped a number of updates but sparked some confusion among users after releasing no information about any of the problems that the update was intended to fix – some users additionally found they were unable to apply the patch.

Speaking to Computer Weekly via email in May, Jamf strategy vice-president Michael Covington said that the benefits of RSR far outweighed the lack of clarity, making it simpler and less disruptive for users and administrators to apply the necessary patches.

The fact that Apple has disclosed more information about the nature of the vulnerability in question appears to indicate it has acknowledged the discussion prompted by the May 2023 patch.

Vulnerabilities that lead to arbitrary code execution are considered particularly dangerous because by giving an unauthorised party the ability to inject and run their own malicious code on their victims’ systems, they open the door to a wide range of malicious activity.

A threat actor could, for example, use an arbitrary code execution vulnerability as a means to disable the victim’s security protections, exploit their systems to conduct downstream attacks against other internal or external targets, exfiltrate data, and conduct extortion or ransomware attacks.

Paying attention to some basic security housekeeping is by-and-large effective at warding off cyber attacks exploiting arbitrary code execution.

Useful countermeasures include keeping all software applications (including security software) patched and up to date, conducting regular system scans for malwares and vulnerabilities, deny-listing IPs known to be malicious, and enforcing proper credential hygiene.