Apples Rapid Zero-Day Patch Causes Safari Issues, Users Say

  /     /     /  
Publicated : 23/11/2024   Category : security


Apples Rapid Zero-Day Patch Causes Safari Issues, Users Say


Apples emergency fix for a code-execution bug being actively exploited in the wild is reportedly buggy itself, and some indications point to the Cupertino giant halting patch rollouts.



Less than 24 hours after issuing an urgent fix for a zero-day security vulnerability under active exploitation in the wild, Apples patch rollout is being reported to break certain websites in Safari.
The bug is found in Apples WebKit browser engine (CVE-2023-37450) and allows arbitrary code execution on fully patched iPhones, Macs, and iPads. It can be exploited in drive-by attacks by luring targets to boobytrapped webpages.
Apple is aware of a report that this issue may have been actively exploited, the company said in its Rapid Security Response (RSR) advisories on Monday.
The
RSRs offered updates
to all three operating systems and the browser itself:
iOS and iPadOS 16.5.1 (a)
macOS 13.4.1 (a)
Safari 16.5.2
Users should patch quickly, experts noted, if they can. These exploits are usually executed silently, says Jamie Brummell, Socura co-founder and CTO. They are effectively invisible, and the chances are that victims would never know they were targeted. Detailed forensic analysis would be needed to determine whether a device had been targeted after the fact.
However, in a surprise twist, users began reporting browser malfunctions in the wake of the patches installation. According to
postings in the official macOS Support Community
and
in the MacRumors user forum
, some applications, including Facebook, Instagram, WhatsApp, and Zoom, started throwing Unsupported Browser errors in Safari after the updates were installed.
Users
zeroed in on the extra (a)
in the version number as the culprit; the unusual nomenclature gets in the way of the platforms user-agent detection, they flagged.
MacRumors reported that the computing giant yanked the updates after the complaints, and some users noted that
the latest patches no longer appear available
for installation on any of the platforms (including on this authors iPhone, which shows iOS 16.5.1 as the latest available version despite having automatic updates enabled).
However, Apple has been mum on those reports, and it did not immediately respond to a request for comment from Dark Reading on the status of the patch process. Meanwhile, the new patches are still listed on the companys security advisory and RSR page.
This patch was rapid in name, and rapid in nature, Brummell says. Reports suggest it has been pulled by Apple because it was causing some websites to break. This is the challenge with rapidly developed patches. They can result in unexpected issues due to the limited time the vendor has to test them.
This is only the second time Apple has deployed its
RSR emergency update protocol
, which was rolled out earlier this year in an effort to be more agile in security patching. The idea is to push out single-issue fixes as theyre needed, rather than use more traditional periodic updates that contain a glut of fixes and feature updates all at once.
The first RSR also had problems and
didnt install properly on iPhones
, so its clear that Apple is still working out the kinks in the scheme, Brummell notes.
As the patch confusion clears on the zero-day, exploits are likely continuing. Worried iPhone users at least do have recourse even so, against this and
other Apple zero-days
.
“One of the only effective things iPhone users can do to defend against these zero-days is to reboot daily, Brummell says. Gaining persistence on iPhone is extremely hard, so restarting usually kills the threat actors code, at least until the device gets exploited again.
He also points out that
Apple Lockdown Mode for all platforms
can stop some of these exploits from working, by blocking Web-based scripts, risky message attachment types, and more.”

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apples Rapid Zero-Day Patch Causes Safari Issues, Users Say