Less than 24 hours after issuing an urgent fix for a zero-day security vulnerability under active exploitation in the wild, Apple's patch rollout is being reported to break certain websites in Safari.
The bug is found in Apple's WebKit browser engine (CVE-2023-37450) and allows arbitrary code execution on fully patched iPhones, Macs, and iPads. It can be exploited in drive-by attacks by luring targets to boobytrapped webpages.
"Apple is aware of a report that this issue may have been actively exploited," the company said in its Rapid Security Response (RSR) advisories on Monday.
The RSRs offered updates to all three operating systems and the browser itself:
- iOS and iPadOS 16.5.1 (a)
- macOS 13.4.1 (a)
- Safari 16.5.2
Users should patch quickly, experts noted, if they can. "These exploits are usually executed silently," says Jamie Brummell, Socura co-founder and CTO. "They are effectively invisible, and the chances are that victims would never know they were targeted. Detailed forensic analysis would be needed to determine whether a device had been targeted after the fact."
However, in a surprise twist, users began reporting browser malfunctions in the wake of the patches' installation. According to postings in the official macOS Support Community and in the MacRumors user forum, some applications, including Facebook, Instagram, WhatsApp, and Zoom, started throwing "Unsupported Browser" errors in Safari after the updates were installed.
Users zeroed in on the extra "(a)" in the version number as the culprit; the unusual nomenclature gets in the way of the platforms' user-agent detection, they flagged.
Did Apple Withdraw the Patches?
MacRumors reported that the computing giant yanked the updates after the complaints, and some users noted that the latest patches no longer appear available for installation on any of the platforms (including on this author's iPhone, which shows iOS 16.5.1 as the latest available version despite having automatic updates enabled).
However, Apple has been mum on those reports, and it did not immediately respond to a request for comment from Dark Reading on the status of the patch process. Meanwhile, the new patches are still listed on the company's security advisory and RSR page.
"This patch was rapid in name, and rapid in nature," Brummell says. "Reports suggest it has been pulled by Apple because it was causing some websites to break. This is the challenge with rapidly developed patches. They can result in unexpected issues due to the limited time the vendor has to test them."
Rapid Security Response: Too Much, Too Soon?
This is only the second time Apple has deployed its RSR emergency update protocol, which was rolled out earlier this year in an effort to be more agile in security patching. The idea is to push out single-issue fixes as they're needed, rather than use more traditional periodic updates that contain a glut of fixes and feature updates all at once.
The first RSR also had problems and didn't install properly on iPhones, so it's clear that Apple is still working out the kinks in the scheme, Brummell notes.
As the patch confusion clears on the zero-day, exploits are likely continuing. Worried iPhone users at least do have recourse even so, against this and other Apple zero-days.
“One of the only effective things iPhone users can do to defend against these zero-days is to reboot daily," Brummell says. "Gaining persistence on iPhone is extremely hard, so restarting usually kills the threat actor's code, at least until the device gets exploited again."
He also points out that Apple Lockdown Mode for all platforms can stop some of these exploits from working, "by blocking Web-based scripts, risky message attachment types, and more.”