Site icon Sophos News

Urgent! Apple fixes critical zero-day hole in iPhones, iPads and Macs

Update. Apparently, this patch was withdrawn by Apple, at least temporarily, not long after it came out. We’ve got advice on what to do, whether you already have the rapid response and are worried whether to keep it, or want it but can’t now get it, in an update article. [2023-07-11T15:30:00Z]

The second-ever Apple Rapid Security Response just came out.

That’s where the very latest versions of macOS, iOS and iPadOS get emergency patches that:

Speed is of the essence

The last point above is surprisingly important, given that Apple absolutely will not allow you to uninstall full-on system updates to your iPhones or iPads, even if you find that they cause genuine trouble and you wish you hadn’t applied them in the first place.

That’s because Apple doesn’t want users to be able to downgrade on purpose to reintroduce old bugs that they now know can be used for jailbreaking devices or installing an alternative operating system, even on devices that Apple itself it no longer supports.

Even if you completely wipe and reinstall your iDevice from scratch via a USB cable, using the built-in DFU (device firmware update) utility, Apple’s servers know what version you were using before the reinstall, and won’t let you activate an old firmware image onto a device that’s already been upgraded past that point.

In other words, the cost of Apple’s commercial decision to keep you on a one-way path of iPhone and iPad upgrades is that the company can’t easily afford to rush out emergency upgrades as quickly as it might otherwise like to (or as quickly as you might want).

That’s because the only way to correct any critical problems that an upgrade might cause is to produce another complete upgrade to supersede it, because there is no quick fix process for an existing full upgrade that itself was released too quickly.

The Rapid Security Response system is meant to sidestep that problem, at least for a subset of software on your device, notably for Safari and other web browsing components, which are commonly exploited by criminals for launching attacks such as silently implanting spyware or injecting surveillance-related malware.

As mentioned above, Rapid Security Response patches are meant to be quick to install, and easy to remove afterwards if you run into trouble.

In Apple’s own words, Rapid Security Responses are designed so that:

[t]hey deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that may have been exploited or reported to exist.

The importance of browser patches

Browsing on its own is meant to be comparatively low risk, given that the browser itself is supposed to programmed to shield you from immediate harm.

Indeed, browser-based content isn’t supposed to be able to cause any software-based cybersecurity trouble at all if all you do is look at at a website.

Sure, you could be lied to by fake content, but that won’t directly affect the security of the code running on the device itself.

Or you could be cajoled into approving some risky action such as installing a rogue app or filling in a fake logon form, but you typically get at least a fighting chance to detect that you’re being scammed.

Simply put, as long as you’re “Just Visiting”, as the Monopoly board puts it when you land on the Jail square naturally, instead of being sent there from somewhere else, you ought to be at little or no risk from browsing activity.

Of course, the ability of your browser to shield you from entirely automated attacks, and to ensure that the content of a web page by itself is never enough by itself to infect you with malware or steal data from your device…

…depends on the browser not having any security bugs through which booby-trapped content could circumvent the browser’s own security shields and subject you to what’s jocularly known as a drive-by install or a look-and-get-pwned attack.

What to do?

These latest patches should be considered critical.

We’re assuming that they’re associated with a live spyware or malware attack that’s happening right now, given the bug that’s fixed:

Impact: Processing web content may lead 
        to arbitrary code execution. 
        Apple is aware of a report that 
        this issue may have been 
        actively exploited.

Description: The issue was addressed 
             with improved checks.

CVE-2023-37450: an anonymous researcher

In jargon-free language, “actively exploited” means “this is a zero-day”, or more bluntly, “the crooks found this one first”, which in turn means: Do not delay, simply do it today.

There are Rapid Security Responses for the latest versions of macOS Ventura 13.4.1, iOS 16.5.1 and iPadOS 16.5.1.

Those versions will report themselves as 13.4.1 (a) and 16.5.1 (a) respectively once the rapid patch is installed. (That trailing (a) will vanish if you later uninstall the patch).

For the older supported versions macOS Big Sur and macOS Monterey, there’s an old-style system update that just patches Safari, which will show up as Safari 16.5.2 after the update.

So far, however [2023-07-10T23:00:00Z], there are no updates for any other Apple platforms, even though it’s possible that that iOS 15, still officially supported on older iPhones and iPads, is affected too, along with Apple Watches and TVs.

Keep your eye on Apple’s general Security Portal and the new Rapid Security Response page for further information about updates for other Apple systems.

Head to Settings > General > Software Update to check whether you’ve correctly received and installed this emergency patch yet, and to jump to the front of the queue if you haven’t.

Remember that on iPhones and iPads, all browsers and apps that can display web-based content (whether they’re from Apple, Mozilla, Microsoft, Google or any other vendor), are forced to use WebKit under the covers.

So, just installing an alternative browser and avoiding Safari for a while when you see news like this is not enough on its own!

(Note. On older Macs, check for the Safari 16.5.2 update using About This Mac > Software Update….)


Exit mobile version