2023-05-18
Apple Releases Fixes for Three Zero-Days
Apple has released updates to address three zero-day vulnerabilities: a sandbox escape, an out-of-bounds read issue, and a use after free issue. All three affect the WebKit browser engine. Updates are available to address the flaws in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. Two of the vulnerabilities addressed earlier this month with Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1.
Editor's Note
Two of the zero-days were fixed in the recent "rapid security response" update. By combining these vulnerabilities, an attacker is able to execute arbitrary code outside the browser sandbox as a user visits a malicious web page.
Johannes Ullrich
Interesting that we saw two of these come out as Rapid Updates, but the third bundled with a major update (including the previous two). I have been beta-testing 16.5 for a while, so maybe the timing was right. So far, we have only seen one rapid security update in the last build. I guess the question that would make me wonder is the release cadence for these. Given this minor build update, I would assume that it follows a “rapid release” between major/minor build updates. When those updates are ready, any additional security patches will roll into the major/minor builds. Ultimately if you were thinking of relying on Rapid Updates solely for patches, you would be missing critical fixes still.
Moses Frost
Those zero-day fixes are baked into these releases, and unlike the RSR updates, your EMM/MDM should have no issues pushing these to your devices. Note these issues also prompted an update to iOS 15.7.6, which has 12 CVE’s listed, vs iOS 16.5 which addresses about 39.
Lee Neely
Apple products are getting noticed by hackers, and not in a good way. The total now stands at six zero-day vulnerabilities for 2023. Hopefully users were already on the latest operating system version(s) and took advantage of Apple’s RSR service. If not, whenever you see the words ‘actively exploited’ in the security bulletin, immediately elevate its priority in your patch cycle.