UPDATE - Apple has released an emergency update fixing an actively exploited security flaw in WebKit that impacts iOS, macOS and iPadOS.
The update for the flaw (CVE-2023-37450) is available for iOS 16.5.1, macOS Ventura 13.4.1 and iPadOS 16.5.1. Apple did not give further details on the flaw tied to CVE-2023-37450 other than to say that it was discovered by an anonymous researcher, that it could lead to arbitrary code execution and that the issue was addressed with improved checks.
“Processing web content may lead to arbitrary code execution,” according to Apple’s update. “Apple is aware of a report that this issue may have been actively exploited.”
WebKit is the web browser engine developed by Apple and used by Safari, Mail, App Store, and many other apps on macOS, iOS and Linux. WebKit has been a common target for threat actors as many previously exploited vulnerabilities have been reported in this component, including three flaws reported by Apple in May that impacted certain Mac, iPhone and Safari users.
The fix was released on Monday as part of Apple’s Rapid Security Response program, its new software release for iPhones, iPads and Macs that aims to ship security fixes to end users more frequently, and that is enabled by default on devices.
"Rapid Security Responses are a new type of software release for iPhone, iPad, and Mac," according to Apple. "They deliver important security improvements between software updates—for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist 'in the wild.'"
On Tuesday, the company gave users the option to remove the Rapid Security Response, confirming that it caused some issues that might prevent some websites from displaying properly. Apple said that a fixed version of the update, Rapid Security Responses iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b), will soon be available.
Apple has fixed a number of other zero-day flaws overall in the past few months. In April, the company warned of two bugs that were being actively exploited in iOS, macOS, and Safari, including one in the IOSurfaceAccelerator (CVE-2023-28206) and the other in the WebKit framework (CVE-2023-28205). And in March, Google TAG and Amnesty International disclosed a pair of spyware campaigns that were leveraging iOS and Android zero day exploit chains to target victims across the globe.
This article was updated on July 11 to reflect that Apple's Rapid Security Response update was causing issues for end users.