Apple released Rapid Security Response (RSR) late last week to cover for a vulnerability which is affecting all iPhones and iPads. This vulnerability is tracked as CVE-2023-37450 and is ﬁxed by 16.5.1(c) or later. This is a remote code execution type vulnerability in Webkit, which is the basis of Apple’s cross platform web browser, i.e. the engine that powers Safari and other third party web browsers for iOS. Apple has reported that they are aware of the vulnerability being exploited in the wild. The vulnerability also is part of CISA guidelines for federal agencies to ﬁx by August 03, 2023.
It is unclear whether Apple will release a patch for CVE-2023-37450 for older iPhone models as version 15.7.8 doesn’t cover CVE-2023-37450.
While limited information has been made available for the vulnerability, the remote code execution capability being exploited in the wild makes it critical enough to be patched. We strongly recommend that the iPhone and iPad users keep their devices on auto update for RSR so that these security ﬁxes can be applied as soon as they are released.
It is likely that the vulnerability can be executed by processing malcrafted web pages providing them higher privileges. While we currently do not have a way to mark devices out of compliance for the RSR versions, our multifaceted approach protects mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities. Lookout will also detect if an attacker is successfully able to compromise the device at the OS level. We recommend broadcasting the importance of installing the RSR version to ensure that the primary level of defense is put up.
Lookout Threat Advisory provides cutting-edge mobile threat intelligence from Lookout’s global sensor network of millions of mobile devices and insights from Lookout’s top mobile security researchers. Protecting and preventing your organization from major threats.
September 15, 2023
Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign
September 19, 2023
September 18, 2023