Apple Withdraws Rapid Security Response Patches After Issues With Web Browsing
Apple engineers have reported that emergency security updates released this week to address an already under attack 0-day vulnerability were preventing some sites from displaying, leading to the withdrawal of the RSR patches.
Earlier this week, Apple released RSR (Rapid Security Response) patches that fix a zero-day vulnerability (CVE-2023-37450) that affects iPhone, Mac and iPad users. The company warned that the problem seems to be already used by attackers.
The vulnerability was discovered in the WebKit engine. It allows attackers to execute arbitrary code on target devices if an attacker can trick a target into opening a page containing malicious content.
RSR Patches Withdrawn
Apple developers have now withdrawn these updates. The company did not explain what exactly happened, and why some sites did not work correctly after installing the patches. The user-agent detection of some services (such as Zoom, Facebook and Instagram) appears to have been broken, causing sites to display errors when using Safari.
For example, after applying updates on an iOS device, the new user agent containing the string “(a)” becomes Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version /16.5.2(a) Mobile/15E148 Safari/604.1. This prevented sites from identifying it as a valid version of Safari and resulted in “browser not supported” errors.
“Apple is aware of an issue where recent Rapid Security Responses may prevent certain websites from displaying properly,” the company said. “Rapid Security Response for iOS 16.5.1(b), iPadOS 16.5.1(b), and macOS 13.4.1(b) will be available soon to address this issue.”
Advice for Users
The company is now advising users who have already installed problematic updates to uninstall them if they experience problems browsing the web.
Note that these are not the first problems with RSR patches that Apple has encountered. Release of the first patches of this kind was also not entirely successful: in May of this year, some users had problems installing RSR patches on their iPhone.