Skip to content

Defense Digests

Apple Webkit Zero-Day Actively Exploited in the Wild

d3

Table of content

Dataprise Defense Digest

ID: D3-2023-0007-1

Published: July 11, 2023

Severity: 9 (CRITICAL)

Executive Summary

On July 10, 2023, Apple released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser that address a zero-day vulnerability that has been actively exploited in the wild. However, on July 11, 2023, Apple rescinded the updates due to the updates causing certain websites like Facebook, Instagram, and Zoom to display an “Unsupported Browser” error when accessed. Apple is working on revised updates and states that they expect them to be available “soon” for all affected iOS devices. Dataprise recommends all iOS users use extra caution when browsing web content on affected devices until patches are made available.

Detailed Analysis

An anonymous researcher has identified and reported a critical zero-day vulnerability affecting Apple’s iOS, iPadOS, macOS, and Safari software. This vulnerability is being tracked as CVE-2023-37450, and when exploited, allows an attacker to execute arbitrary code when specially crafted web content is processed. Due to the lack of available patches for this vulnerability, Apple is being tight-lipped about the specific details of this vulnerability and how the exploit works.

The updates Apple released on July 10, 2023, were for iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, however, these updates have since been removed due to certain legitimate websites displaying an error after the updates were installed. Apple will re-release patches “soon” to address these zero-day vulnerabilities.

Dataprise recommends all affected Apple iOS devices be updated as soon as revised updates are available.

Sources

Contributing Authors

Stephen Jones, Vice President of Cybersecurity

View all Dataprise Defense Digests here.

Recent Tweets

INSIGHTS

Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.