Apple Rolls Out Urgent Security Update to Address Active Zero-Day Exploits

July 10, 2023

Apple has launched a Rapid Security Response (RSR) to address an active zero-day vulnerability, identified as CVE-2023-37450, affecting fully-patched iPhones, iPads, and Macs. The company has acknowledged reports of active exploitation of this issue, according to iOS and macOS advisories. The RSR is a compact update designed to resolve security issues that arise between major software updates. It is highly recommended for all users, especially on systems where the RSR patches are being delivered.

The RSR patches are designed to address security concerns on Apple's platforms, including the iPhone, iPad, and Mac. They are intended to resolve security issues that emerge between major software updates. Some out-of-band security updates may also be used to address security vulnerabilities that are actively being exploited. If users disable automatic updates or do not install RSRs when available, their devices will be patched as part of future software upgrades.

The vulnerability has been identified in Apple's WebKit browser engine. It allows threat actors to execute arbitrary code on targeted devices by luring targets into opening web pages with malicious content. Apple has addressed this security weakness by implementing improved checks to deter exploitation attempts.

Since the beginning of 2023, Apple has patched ten zero-day vulnerabilities that were exploited in the wild to hack iPhones, Macs, or iPads. Earlier this month, the company addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. It also fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, which were first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and were likely used to install mercenary spyware.

In April, Apple addressed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws used to deploy spyware on devices belonging to high-risk targets. In February, Apple patched another WebKit zero-day (CVE-2023-23529) that was exploited to gain code execution on vulnerable iPhones, iPads, and Macs.

Related News

• CISA Directs Federal Agencies to Address iPhone Vulnerabilities Exploited by Triangulation Spyware
• Apple Patches Zero-Days Exploited to Deploy Triangulation Spyware via iMessage
• CISA Directs Government Agencies to Address iPhone Vulnerabilities Exploited in Attacks
• Apple Patches Three Actively Exploited Zero-Day Vulnerabilities
• NSO Group Utilizes Three iOS Zero-Click Exploits in 2022: Citizen Lab Report

Latest News

• PoC Exploit Released for Recent Ubiquiti EdgeRouter Flaw
• RomCom RAT Cyber Attacks Target NATO Summit and Ukraine Support Groups
• CISA Directs Government Agencies to Patch Actively Exploited Android Driver
• Mastodon Patches Critical TootRoot Bug and Other Vulnerabilities
• CISA Warns of Truebot Malware Exploiting Netwrix Auditor RCE Vulnerability