Apple has released patches for an actively exploited zero-day vulnerability in macOS Ventura, iOS, and iPadOS. Apple has mentioned in the advisory that they are aware of the issue being exploited. The vulnerability, CVE-2023-37450, was reported by an anonymous researcher.
CISA has added the zero-day vulnerability to its Known Exploited Vulnerabilities Catalog and recommended users to patch it before August 2, 2023.
Vulnerability Details
CVE-2023-37450 affects Apple’s WebKit browser engine. On successful exploitation, this vulnerability may lead to arbitrary code execution by processing maliciously crafted web content. An attacker might trick a victim into accessing web pages containing malicious content, thus leading to code execution.
Affected versions
- macOS Ventura versions prior to 13.4.1
- iOS and iPadOS versions prior to 16.5.1
Mitigation
To patch the vulnerability, customers are requested to upgrade to the latest versions of macOS Ventura 13.4.1, iOS 16.5.1 and iPadOS 16.5.1.
For more information, please refer to the Apple security advisories HT213823 and HT213825.
Qualys Detection
Qualys customers can scan their devices with QID 378655 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
Note: Apple has updated the advisory, mentioning that the recent “Rapid Security Response macOS Ventura 13.4.1 (c) includes the security content of Rapid Security Response macOS Ventura 13.4.1 (a) and fixes an issue that prevents some websites from displaying properly.”
References
https://support.apple.com/en-us/HT213823
https://support.apple.com/en-us/HT213825