Security News > 2023 > July > Apple ships that recent “Rapid Response” spyware patch to everyone, fixes a second zero-day
Two weeks ago, we urged Apple users with recent hardware to grab the company's second-ever Rapid Response patch.
CVE-2023-37450: an anonymous researcher The next-best thing to zero-click attacks Technically, code execution bugs that can be triggered by getting you to look at a web page that contains booby-trapped content don't count as so-called zero-click attacks.
The worm therefore quickly overwhelmed the internet by infecting victims them over and over again until they were doing little other than attacking everyone else.
A look-and-get-pwned attack, also known as a drive-by install, where merely looking at a web page can invisibly implant malware, even though you don't click any additional buttons or approve any pop-ups, is the next-best thing for an attacker.
If the malware the attackers execute via an initial browser hole is specifically coded to exploit the second bug in the chain, then they immediately escape from any limitations or sandboxing implemented in the browser app by taking over your entire device at the operating system level instead. Typically, that means they can spy on every app you run, and even on the operating system itself, as well as installing their malware as an official part of your device's startup procedure, thus invisibly and automatically surviving any precautionary reboots you might perform.
If guarding against the Triangulation Trojan malware isn't enough to convince you on its own, don't forget that these updates also patch against numerous theoretical attacks that Apple and other Good Guys found proactively, including kernel-level code execution holes, elevation-of-privilege bugs, and data leakage flaws.
News URL
Related news
- Apple backports iOS zero-day patch, adds Bluetooth tracker alert (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (source)
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware' (source)
- Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks (source)
- CrushFTP warns users to patch exploited zero-day “immediately” (source)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (source)
- Apple backports fix for RTKit iOS zero-day to older iPhones (source)
- Apple backports fix for zero-day exploited in attacks to older iPhones (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-07-27 | CVE-2023-37450 | Unspecified vulnerability in Apple products The issue was addressed with improved checks. | 8.8 |