Apple emergency patch to fix zero-day prevents some websites from displaying properly

Apple said it is planning to release a new version of a patch it issued Monday following reports that the fix is causing secondary issues for users.

Apple published a Rapid Security Responses (RSR) advisory Monday addressing CVE-2023-37450, a vulnerability they say “may have been actively exploited.” The zero-day vulnerability affects WebKit, a browser engine used by many macOS and iOS applications.

On Tuesday, the company said it is “aware of an issue where this Rapid Security Response might prevent some websites from displaying properly,” adding that new versions “will be available soon to address this issue.” Apple provided instructions to users who wished to remove the RSR patch from their devices.

Several people in the comment section of a MacRumors article on the patch reported having issues opening Facebook and other platforms like Zoom and Instagram.

CVE-2023-37450 affects WebKit, which is “foundational to essentially every product in the Apple ecosystem that can render web content and that ranges from the operating systems to Apple’s products to third-party developer products,” according to Zimperium security architect Georgia Weidman.

“The very code re-use that has helped make the internet truly ubiquitous and has allowed Apple to provide such diverse offerings unfortunately comes with the associated cost that bad actors can increasingly use the same exploit across entire ecosystems of products,” Weidman added.

BleepingComputer, which first reported the patch, said this is the 10th zero-day vulnerability found within Apple products this year.

The RSR program is a new offering from Apple designed to “deliver important security improvements between software updates—for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries.”

“They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild,’” Apple said in a document explaining the program.

The advisory on Monday is the second RSR release since the program was started.

Viakoo’s John Gallagher lauded Apple for taking action to address the growing number of zero-day exploits through the new program and noted that the advisories give customers a “clear indication that the patch is urgent and different from a standard update for functionality and minor bug fixes.”

But he warned that the danger is that RSRs “become too frequent and therefore become ‘background noise’ to users as current updates might be.”