Apple pushes urgent security fix for exploited zero day – then kills it after websites broke
Risk arbitrary code execution or face howls from users unable to access Instagram? Priorities, priorities -- but a fresh fix is coming after initial RSR rolled back.
Updated July 13: Apple has now released a fresh patch!
Apple on July 10 released a “Rapid Security Response” (RSR) emergency patch for a zero day under active exploitation in the wild – only its second ever use of the mechanism – then pulled the patch in under 12 hours, saying it “might prevent some websites from displaying properly.”
The vulnerability in WebKit, the browser engine used by Apple’s Safari web browser and all other web browsers on iOS and iPadOS, has been allocated CVE-2023-37450. Apple has disclosed only the faintest of details on the vulnerability; which was reported by an anonymous researcher.
But it confirmed that when exploited, “processing web content may lead to arbitrary code execution” (a description that is vague enough to be somewhat useless for prurient journalists without the technical chops to rapidly reverse engineer the patch and explore it; yet also specific enough to suggest that this is really quite severe and demands urgent action.)
Those who didn’t update rapidly (fwiw Apple’s patch was less than 3MB) soon thereafter could no longer do so after Apple pulled the update. Citing the website display issues, Cupertino now says [here and here] that “Rapid Security Response macOS 13.4.1 (b)/Rapid Security Response iOS 16.5.1 (b) and iPadOS 16.5.1 (b)... will be available soon to address this issue.”
As Forbes' David Phelan, one of the first to report on this story, notes, sites like Facebook, Zoom and Instagram were all failing to load properly on Safari after the update was pushed. Their respective applications were still working. Security conscious administrators looking after fleets of MacOS systems may way to wait for a less buggy fix rather than roll-back.
The extent of exploitation was unclear but giving threat actors the opportunity to engage in "arbitrary code execution" merely through serving malicious web content via the browser sounds like something best avoided like the plague so keep an eye out for the fresh fix and react promptly.