Apple has promptly launched a Security Response update to counteract CVE-2023-37450 – a vulnerability detected in the most recent versions of their iOS, iPadOS, and macOS software. This immediate response was necessitated by the suspected active exploitation of the zero-day bug.
Here’s everything you need to know:
What is CVE-2023-37450?
This vulnerability impacts the WebKit browser component employed in iPhones and iPads using iOS 16.5.1 and desktop macOS Ventura 13.4.1(a) software. Apple’s support documents reveal that this bug can be manipulated by attackers to initiate arbitrary code execution while processing web content.
Does CVE-2023-37450 affect me?
The following software versions are affected by CVE-2023-37450:
- Versions prior to iOS 16.5.1(a)
- Versions prior to iPadOS 16.5.1(a)
- Versions prior to macOS Ventura 13.4.1(a)
- Versions prior to Safari 16.5.2
Has CVE-2023-37450 been actively exploited in the wild?
After rolling out the urgent iOS and iPadOS software updates, Apple has warned that zero-day exploitation has already been detected in the wild.
How to fix CVE-2023-37450
RSR patches have been released as streamlined updates targeted to address security issues on the iPhone, iPad, and Mac platforms. As per Apple’s support document, they are aimed at solving security problems that crop up between significant software updates.
Additionally, certain out-of-band security updates may also be employed to tackle security flaws that are being actively targeted in attacks.
Here are the fixes released by the vendor:
- iOS 16.5.1(a)
- iPadOS 16.5.1(a)
- macOS Ventura 13.4.1(a)
- Safari 16.5.2
These security updates are part of Apple’s ongoing effort to tackle zero-day vulnerabilities, many of which aim to resolve so-called “zero-click” vulnerabilities or spyware, such as kernel vulnerabilities patched in June. Several vulnerabilities were also remedied in April and May.
Since the onset of 2023, Apple has patched ten zero-day flaws exploited in real-world attacks on iPhones, Macs, and iPads. Earlier this month, it patched three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) that were utilized to launch Triangulation spyware on iPhones through iMessage zero-click exploits.
In May, Apple patched three additional zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first of which was reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and likely employed for the deployment of mercenary spyware.
In April, Apple alerted users of two bugs that were being actively exploited across iOS, macOS, and Safari, including one in the IOSurfaceAccelerator (CVE-2023-28206) and another in the WebKit framework (CVE-2023-28205).
In March, Google TAG and Amnesty International unveiled two spyware campaigns that used iOS and Android zero-day exploit chains to target victims globally.
In February, Apple patched another WebKit zero-day (CVE-2023-23529) that was exploited to achieve code execution on vulnerable iPhones, iPads, and Macs.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- CVSS v4.0 – what you need to know
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned