Why Apple Just Pulled An Emergency Zero-Day Fix For iPhone, iPad And Mac
Yesterday, Apple pushed update 16.5.1(a) for iOS and iPadOS as well as 13.4.1 (a) for macOS over an issue with WebKit. For those unaware, WebKit is the web browser engine for Apple products that makes many apps, including Safari, tick behind the scenes. However, a vulnerability, tracked as CVE-2023-37450, was discovered in the engine that could lead to arbitrary code execution. This is not too dissimilar to what we had seen with the previous major security update, which was another WebKit issue.
Apple had also found that this vulnerability was being exploited in the wild and, as such, pushed the Rapid Security Response update mentioned above with improved checks to prevent the issue. However, a note about RSRs is that once the update has been applied, a letter corresponding to the update would appear after the version number, such as 16.5.1 (a). However, it is speculated that appending this letter to the software version had rippling effects, including appending it to the user agent string, which is sent to websites when accessed. This evidently breaks things as users, and eventually, Apple reported that “this Rapid Security Response might prevent some websites from displaying properly.”
Subsequently, Apple pulled the update and is expected to re-release the fix for the vulnerability as a (b) version Rapid Security Response to fix this speculated issue and the vulnerability. Hopefully, that will come later today or early tomorrow, so keep an eye on your Apple device for updates, as this issue is being exploited in the wild.
Update, 7/13/2023 - 1:25 AM EST
It appears that Apple has since re-released the update under the (c) namesake, skipping over (b) entirely. Both of these new patches, besides fixing the initial issue with WebKit, now "fix an issue that prevents some websites from displaying properly."
