Apple today confirmed that emergency security updates released on Monday to resolve a zero-day bug exploited in attacks also interrupt browsing on some websites. New ones will be released soon to address this known issue, the company says.
Although Apple has not explained why the affected websites were prevented from displaying correctly, it allegedly occurred after detection of the user agent of certain services (i.e. Zoom, Facebook and Instagram) was interrupted and caused the websites to stop. start showing errors in Safari on patched devices.
For example, after applying RSR updates on an iOS device, the new user agent containing a string “(a)” is “Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.2 (a) Mobile/15E148 Safari/604.1“, which prevents websites from detecting it as a valid version of Safari, thus showing unsupported browser error messages.
“Apple is aware of an issue where recent rapid security responses may prevent certain websites from displaying correctly,” the company said. said in a supporting document released on Tuesday.
“Rapid Security Responses iOS 16.5.1(b), iPadOS 16.5.1(b), and macOS 13.4.1(b) will be available soon to address this issue.”
The company is advising customers who have already applied the buggy security updates to remove them if they experience any issues while browsing the web.
On iPhone or iPad devices, you can do this by tapping “Delete Security Answer” and then tapping “Delete” to confirm in Settings > About > iOS Version.
Mac users can remove RSR updates by opening the menu and clicking More Info under “About This Mac”. Once there, you need to click on the Info button (i) next to the version number in macOS, then click on “Remove” and “Restart”.
The zero-day flaw (identified as CVE-2023-37450) was found in Apple’s WebKit browser engine, and it allows attackers to achieve arbitrary code execution by tricking targets into opening web pages containing maliciously crafted content.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in iOS And macOS advisory describing CVE-2023-37450 vulnerability fixed in yesterday’s emergency security updates.
“This Security Rapid Response provides important security fixes and is recommended for all users,” Apple warned customers on devices where RSR patches were delivered.
Since the beginning of the year, Apple has patched a total of ten zero-day flaws exploited in the wild to hack iPhones, Macs or iPads.
For example, earlier this month, Apple tackled three days zero (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) exploited in attacks to install triangulation spyware on iPhones via no-click iMessage exploits.
Before that, the company also fixed:
- Three more zero days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, first reported by researchers at Amnesty International Security Lab and Google Threat Analysis Group and likely used to install mercenary spyware.
- Two more zero days (CVE-2023-28206 and CVE-2023-28205) in April were used as part of exploit chains for zero-day and n-day flaws in Android, iOS and Chrome to deploy spyware to devices belonging to high-risk targets.
- And another zero-day WebKit (CVE-2023-23529) in February, exploited to achieve code execution on vulnerable iPhones, iPads, and Macs.