Apple patches iOS and macOS zero-day
Enable arbitrary code execution on iPhones, iPads and Macs
Apple has issued a fix for a bug affecting even fully patched iPhones, iPads and Macs.
The company wrote that it is "aware of a report that this issue may have been actively exploited" in its latest iOS and macOS security advisories.
The Rapid Security Response (RSR) updates Apple has just issued are:
- macOS Ventura 13.4.1 (a)
- iOS 16.5.1 (a)
- iPadOS 16.5.1 (a)
- Safari 16.5.2
RSR updates are effectively small security fixes between major patches. They are automatically applied for most users.
If you decline the RSR, your device will still be patched when Apple issues its next major software update.
These latest fixes address a flaw known as CVE-2023-37450, found in WebKit.
Attackers can leverage this vulnerability to achieve arbitrary code execution, by tricking users into navigating to malicious webpages.
Apple addressed the issue with improved checks.
More zero days
Apple has fixed multiple zero-day flaws this year, including one in February and April, and three in May.
Those vulnerabilities - CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 - were all related to the WebKit browser engine. They prompted the release of iOS 16.5, macOS Ventura 13.4 and iPadOS 16.5.
One month later, in June, Apple issued RSR updates for three more zero-days, which enabled the installation of Triangulation spyware on iPhones through iMessage zero-click exploits.