Apple has issued an update for a vulnerability which it says may have been actively exploited.
In the security content for Safari 16.5.2 we can learn that the vulnerability was found in the WebKit component which is Apple's web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. On iOS and iPadOS even third-party browsers have to use WebKit under the hood. So, it's no surprise that this update is available for a range of operating systems (OSs).
|
macOS Big Sur and macOS Monterey
β|β
Rapid Security Response iOS 16.5.1 (a) & iPadOS 16.5.1 (a)
|
iOS 16.5.1 and iPadOS 16.5.1
Rapid Security Response macOS Ventura 13.4.1 (a)
|
macOS Ventura 13.4.1
For most users, no action is required. Apple devices are configured to implement Rapid Security Responses as the default setting automatically. If needed, users will receive a prompt to restart their device.
Rapid Security Response (RSR) is a new type of software patch delivered between Appleβs regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. Theyβre meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates βmay also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist βin the wildβ.β RSR was first introduced in May of 2023.
To check whether you have RSR enabled, select System Settings. In the Settings window, click on (General and Software)Update, thenAutomatic Updates, and make sure the toggle is turned on forInstall Security Responses and system files.
It may be important to note that the first attempt to patch this vulnerability, offered as iOS 16.5.1 (a), reportedly broke some sites. This first attempt was pulled hours after release. Apple then followed up with this latest update.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this updates is:
CVE-2023-37450: Processing web content may lead to arbitrary code execution. The issue was addressed with improved checks.
While Apple doesnβt disclose, discuss, or confirm security issues until a patch is made available and users have had the opportunity to apply them, what we can conclude from that description is that the bug could be used for drive-by downloads as it might allow an attacker to execute arbitrary code by tricking users into opening web pages containing specially crafted content.
This weekend I received a notification about RSR iOS 16.5.1 Β©. The release of iOS 16.5.1 Β© comes after Apple issued iOS 16.5.1 (a) earlier this week, then pulled it again after reports that the update broke websites such as Facebook. The iPhone maker said it would fix the issue before re-releasing the security-only iPhone update, which is now here as iOS 16.5.1 Β©.
We don't just report on vulnerabilitiesβwe identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.