Apple has released a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and affecting fully patched iPhones, Macs, and iPads.
“Apple is aware of a report that this issue may have been actively exploited,” the company says in iOS And macOS notice when describing the CVE-2023-37450 vulnerability reported by an anonymous security researcher.
“This Security Rapid Response provides important security fixes and is recommended for all users,” Apple warns on systems on which RSR fixes are delivered.
RSR patches were introduced as compact updates designed to address security issues on iPhone, iPad, and Mac platforms, and they serve to resolve security issues that arise between major software updates, according to this supporting document.
In addition, some out-of-band security updates can also be used to counter actively exploited security vulnerabilities in attacks.
If you turn off automatic updates or do not install Rapid Security Responses when offered, your device will be patched through future software upgrades.
The current list of emergency fixes includes:
- macOS Ventura 13.4.1 (a)
- iOS 16.5.1 (a)
- iPadOS 16.5.1 (a)
The flaw was found in the WebKit browser engine developed by Apple, and it allows attackers to obtain arbitrary code execution on targeted devices by tricking targets into opening web pages containing maliciously crafted content.
The company fixed this security flaw by improving controls to mitigate exploit attempts.
Tenth zero-day patch in 2023
Since the beginning of 2023, Apple has patched ten zero-day flaws exploited in the wild to hack iPhones, Macs or iPads.
Earlier this month, Apple tackled three days zero (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) exploited to deploy triangulation spyware to iPhones via no-click iMessage exploits.
This too set three additional zero days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, first reported by researchers at Amnesty International Security Lab and Google Threat Analysis Group and likely used to install mercenary spyware.
In April, Apple fixed two more days zero (CVE-2023-28206 and CVE-2023-28205) used as part of the zero-day and n-day exploit chains of Android, iOS and Chrome to deploy spyware to target-owned devices high risk.
In February, Apple patched another zero-day WebKit (CVE-2023-23529) exploited to achieve code execution on vulnerable iPhones, iPads, and Macs.