Apple Rolls Out Urgent Security Update to Address Active Zero-Day Exploits

July 10, 2023

Apple has launched a Rapid Security Response (RSR) to address an active zero-day vulnerability, identified as CVE-2023-37450, affecting fully-patched iPhones, iPads, and Macs. The company has acknowledged reports of active exploitation of this issue, according to iOS and macOS advisories. The RSR is a compact update designed to resolve security issues that arise between major software updates. It is highly recommended for all users, especially on systems where the RSR patches are being delivered.

The RSR patches are designed to address security concerns on Apple's platforms, including the iPhone, iPad, and Mac. They are intended to resolve security issues that emerge between major software updates. Some out-of-band security updates may also be used to address security vulnerabilities that are actively being exploited. If users disable automatic updates or do not install RSRs when available, their devices will be patched as part of future software upgrades.

The vulnerability has been identified in Apple's WebKit browser engine. It allows threat actors to execute arbitrary code on targeted devices by luring targets into opening web pages with malicious content. Apple has addressed this security weakness by implementing improved checks to deter exploitation attempts.

Since the beginning of 2023, Apple has patched ten zero-day vulnerabilities that were exploited in the wild to hack iPhones, Macs, or iPads. Earlier this month, the company addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. It also fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, which were first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and were likely used to install mercenary spyware.

In April, Apple addressed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws used to deploy spyware on devices belonging to high-risk targets. In February, Apple patched another WebKit zero-day (CVE-2023-23529) that was exploited to gain code execution on vulnerable iPhones, iPads, and Macs.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.