Apple confirms WebKit security updates break browsing on some sites

Apple confirmed today that emergency security updates released on Monday to address a zero-day bug exploited in attacks also break browsing on some websites. New ones will be released soon to address this known issue, the company says.

While Apple did not explain why the affected websites were prevented from rendering correctly, this reportedly happened after some services' user-agent detection (i.e., Zoom, Facebook, and Instagram) got broken and caused the websites to start showing errors in Safari on patched devices.

For instance, after applying the RSR updates on an iOS device, the new user agent containing an "(a)" string is "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.2 (a) Mobile/15E148 Safari/604.1," which prevents websites from detecting it as a valid version of Safari, thus displaying browser not supported error messages.

"Apple is aware of an issue where recent Rapid Security Responses might prevent some websites from displaying properly," the company says in a support document released on Tuesday.

"Rapid Security Responses iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b) will be available soon to address this issue."

The company advises customers who have already applied the buggy security updates to remove them if they're experiencing issues while browsing the web.

On iPhone or iPad devices, you can do that by tapping 'Remove Security Response' and then tapping 'Remove' to confirm from Settings > About > iOS Version.

Mac users can remove the RSR updates by opening the  menu and clicking More Information in 'About this Mac.' Once there, you have to click the Info (i) button next to the version number under macOS and then click 'Remove' and 'Restart.'

​The zero-day flaw (tracked as CVE-2023-37450) was found in Apple's WebKit browser engine, and it lets attackers gain arbitrary code execution by tricking the targets into opening web pages containing maliciously crafted content.

"Apple is aware of a report that this issue may have been actively exploited," the company said in iOS and macOS advisories describing the CVE-2023-37450 vulnerability patched in yesterday's emergency security updates.

"This Rapid Security Response provides important security fixes and is recommended for all users," Apple warned customers on devices the RSR patches were delivered.

Since the start of the year, Apple patched a total of ten zero-day flaws exploited in the wild to hack iPhones, Macs, or iPads.

For instance, earlier this month, Apple addressed three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) abused in attacks to install Triangulation spyware on iPhones via iMessage zero-click exploits.

Before that, the company also patched:

• Three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May, the first reported by Amnesty International Security Lab and Google Threat Analysis Group researchers and likely used to install mercenary spyware.
• Two other zero-days (CVE-2023-28206 and CVE-2023-28205) in April were used as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy spyware on devices belonging to high-risk targets.
• and another WebKit zero-day (CVE-2023-23529) in February, exploited to gain code execution on vulnerable iPhones, iPads, and Macs.