A new zero-day in WebKit is impacting iPhones, Mac devices and iPads. Suspecting the zero-day is being actively exploited, the company is pushing an update.
Apple is implementing a Rapid Security Response (RSR) update on iPhones, iPads and Macs. “This Rapid Security Response provides important security fixes and is recommended for all users,” Apple states in the update.
It is in response to a new zero-day that leaves fully patched devices vulnerable. Apple itself claims to be aware that there is a chance hackers could exploit the problem.
An RSR update is Apple’s method of getting urgent vulnerabilities fixed faster. It is a compact update that can be pushed between major software updates.
The new zero-day CVE-2023-37450 is a flaw in WebKit, Apple’s browser engine. The flaw allows hackers to force Apple devices to execute arbitrary code. This allows the hacker to infect the device remotely.
The patch is rolling out to devices running iOS 16.5.1 (a), iPadOS 16.5.1 (a) and macOS Ventura 13.4.1 (a). Users will receive the update automatically, but if they ignore it, the patch will get installed through the next software update.
Zeroday disclosed by anonymous researcher
Through the work of an anonymous researcher, Apple was made aware of the zero-day. Earlier this year, research also found three vulnerabilities in WebKit. So apparently Apple cybersecurity experts are missing important flaws during the review of their own products. The findings cast WebKit’s security in a whole new light. It puts pressure on the claim that Apple product are invisibility in the realm of security. A claim the tech giant has long stood by.