CVE-2023-37450

What is Apple WebKit?

WebKit is Apple's browser rendering engine used by Safari on all Apple platforms and mandated for all browsers on iOS and iPadOS. It processes web content — HTML, CSS, JavaScript, media, and embedded resources — for display. Because all web browsing on iOS goes through WebKit, and because web content is routinely served from untrusted sources, WebKit vulnerabilities are among the most impactful in the Apple ecosystem. A code execution bug that can be triggered by visiting a malicious page effectively gives an attacker initial code execution on the device with a single web visit.

Overview

CVE-2023-37450 is a WebKit code execution vulnerability that allows processing maliciously crafted web content to lead to arbitrary code execution. Apple disclosed and patched it on July 10, 2023, via its Rapid Security Response (RSR) mechanism — the first notable use of RSR for an actively exploited zero-day — acknowledging active exploitation before the patch. CISA added it to the KEV catalog three days later.

Affected Versions

Technical Details

Apple described CVE-2023-37450 as allowing code execution via "processing web content" — the standard description for WebKit renderer bugs. The vulnerability type was not fully detailed publicly, but the class is consistent with WebKit's historical vulnerability profile: type confusion, use-after-free, or out-of-bounds access in JavaScript/HTML parsing that achieves code execution within the WebKit renderer process.

The July 2023 RSR patches marked a significant milestone: this was one of the first actively exploited zero-days patched via Apple's Rapid Security Response system (introduced in iOS 16.4/macOS 13.3), which can deliver targeted security fixes as small incremental updates without requiring a full OS update. The RSR mechanism is designed precisely for this scenario — rapid deployment of patches for high-severity zero-days ahead of the next full release cycle.

Discovery

Apple credited an anonymous researcher. Active exploitation before the patch indicates the vulnerability was discovered and weaponized by threat actors prior to Apple's awareness — the pattern associated with targeted attacks by commercial surveillance vendors or state-sponsored actors.

Exploitation Context

The pattern of active WebKit exploitation in mid-2023 fits the broader threat landscape: surveillance industry operators routinely invest in browser exploit chains, using WebKit bugs as the initial code execution primitive before escalating with a kernel privilege escalation (such as CVE-2023-37951, patched in the same July 24 update). CISA's rapid KEV addition (three days after the RSR patch) reflects confirmed exploitation against real targets.

Remediation

1. Apply iOS/iPadOS 16.5.1 (c) or later — if you haven't already updated since July 10, 2023, installing iOS 16.6 or any later version includes the fix.
2. Update macOS Ventura to 13.5 or later (or apply the Safari 16.6 standalone update for older macOS versions).
3. Update iOS 15 devices to iOS 15.7.8 or later — older devices not supported by iOS 16 received fixes in the July 24 update.
4. Enable Rapid Security Responses on all Apple devices: Settings → General → Software Update → Automatic Updates → Security Responses & System Files → enable. This ensures future emergency patches are applied without waiting for manual user action.
5. Enable Lockdown Mode for at-risk individuals — while not a fix for this specific bug, Lockdown Mode significantly reduces WebKit's attack surface by disabling just-in-time JavaScript compilation and other features commonly exploited in browser chains.