Zack WhittakerJul 10, 2023

Looks like there's a new WebKit zero-day under active exploitation targeting iOS, iPadOS, and macOS. Apple rolled out a Rapid Security Response patch today.

CVE: https://support.apple.com/en-us/HT213823

I also wrote about these real-time rapid security updates last year, in case you want a backgrounder: https://techcrunch.com/2022/06/07/apple-introduces-real-time-security-updates-for-ios-and-macos/

About the security content of Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1

This document describes the content of Rapid Security Responses.

Apple Support
Show threadZack WhittakerJul 11, 2023

Ars is reporting that Apple pulled the Rapid Security Response patch after apparently causing issues loading some websites. For what it's worth, I experienced some of the website issues after installing the patch, but can't confirm if related. Still installed and no lingering issues, but doesn't exactly inspire confidence.

https://arstechnica.com/security/2023/07/apple-releases-quickly-pulls-rapid-security-response-update-for-0-day-webkit-bug/

Apple releases, quickly pulls Rapid Security Response update for 0-day WebKit bug

Update for iOS 16, macOS Ventura can be uninstalled if you're having problems.

Ars Technica
Show threadXebulun EnEssEitchJul 11, 2023
@zackwhittaker https://blog.pksecurity.io/2023/07/07/cve-2023-32439-webkit.html
Root Cause Analysis - CVE-2023-32439 Type Confusion in Webkit

Sunjoo Park @grigoritchy

PKSecurity
Show threadZack WhittakerJul 11, 2023
@xeb that blog post refers to last month's RSR update, not this one!
Show threadXebulun EnEssEitch
@zackwhittaker oh, my bad. thanks!
Jul 11, 2023 at 4:14pmWeb