Apple has confirmed that the emergency security updates it released on Monday, aimed at addressing a zero-day vulnerability, have inadvertently caused browsing issues on some websites. The company has not provided a detailed explanation of why certain sites are not rendering correctly, but it is reportedly due to issues with user-agent detection services like Zoom, Facebook, and Instagram. These services have started showing errors on Safari browsers on devices that have been patched.
After the Rapid Security Responses (RSR) updates are applied on an iOS device, the new user agent includes an '(a)' string, which prevents websites from recognizing it as a valid Safari version, resulting in 'browser not supported' error messages. Apple has acknowledged the issue in a support document released on Tuesday, stating, "Apple is aware of an issue where recent Rapid Security Responses might prevent some websites from displaying properly." New updates (iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b)) to address this issue will be released soon, according to the company.
Apple has advised customers who have already installed the problematic security updates and are experiencing browsing issues to remove them. For iPhone or iPad users, this can be done by selecting 'Remove Security Response' from the Settings > About > iOS Version. Mac users can remove the RSR updates from the menu in 'About this Mac.'
The zero-day vulnerability, tracked as CVE-2023-37450, was discovered in Apple's WebKit browser engine. It allows attackers to execute arbitrary code by tricking targets into opening web pages with malicious content. "Apple is aware of a report that this issue may have been actively exploited," the company stated in iOS and macOS advisories describing the CVE-2023-37450 vulnerability patched in the recent emergency security updates.
The company has urged all users to install the Rapid Security Response, stating, "This Rapid Security Response provides important security fixes and is recommended for all users." So far this year, Apple has patched a total of ten zero-day vulnerabilities exploited in the wild to hack iPhones, Macs, or iPads. This includes the recently addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were exploited in attacks to install Triangulation spyware on iPhones via iMessage zero-click exploits.