In a rare and urgent move, Apple has released rapid security updates for iOS, iPadOS, and macOS, warning of a critical vulnerability that is being actively exploited by attackers. This is not your average update notification. The company disclosed that this flaw could allow a highly sophisticated attacker to take complete control of your device without any interaction from you. The message from cybersecurity experts is unequivocal: update your devices immediately.
How to Update Your Apple Device – and Why?
The “why” is simple: to patch a dangerous zero-day vulnerability that attackers are already using in the wild. Delaying this update significantly increases your risk of a devastating cyberattack.
The “how” is straightforward. Follow these steps to ensure your devices are protected.
For iPhone and iPad:
-
Connect your device to Wi-Fi and ensure it has at least 50% battery or is plugged into a charger.
-
Open the Settings app.
-
Tap General.
-
Tap Software Update.
-
Your device will check for available updates. You should see iOS/iPadOS 16.5.1 (a) or a later version. The (a) denotes a Rapid Security Response update.
-
Tap Download and Install.
For Mac:
-
Connect your Mac to power and ensure it is connected to the internet.
-
Click the Apple menu () in the top-left corner of your screen.
-
Select System Settings (or System Preferences on older macOS versions).
-
Click General in the sidebar.
-
Click Software Update.
-
Your Mac will check for updates. Install macOS Ventura 13.4.1 (a) or any other update listed.
The following table provides a quick reference for which devices are affected and what to update to:
| Device Type | Operating System | Patch Version | Update Type | Key Vulnerability Patched |
|---|---|---|---|---|
| iPhone 8 & later, iPad Pro (all models), iPad Air 3rd gen & later, iPad 5th gen & later, iPad mini 5th gen & later | iOS / iPadOS | 16.5.1 (a) | Rapid Security Response | CVE-2023-37450 (WebKit) |
| Macs running macOS Ventura | macOS | 13.4.1 (a) | Rapid Security Response | CVE-2023-37450 (WebKit) |
| Older Macs | macOS Monterey, Big Sur | Security Update 2023-07-24 | Standard Security Update | CVE-2023-37450 (WebKit) |
What are Rapid Security Responses?
A key feature of this update is Apple’s use of a new delivery mechanism: Rapid Security Responses (RSRs). This system allows Apple to deploy security fixes for critical vulnerabilities between standard software updates without requiring a full iOS or macOS version update.
They are designed to be:
-
Smaller: They download and install much faster than a full update.
-
Faster: They can be developed and pushed out urgently to counter immediate threats.
-
Automated: By default, RSRs are applied automatically. You can check this setting on your iPhone under Settings > General > Software Update > Automatic Updates.
This incident marks one of the first major uses of RSRs, demonstrating their value in responding quickly to live threats.
An Extremely Sophisticated Attack
The technical reason for the urgency is two related vulnerabilities, tracked as CVE-2023-37450 and often associated with CVE-2023-38606. The description from Apple is chilling in its simplicity: “An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.” While this sounds highly technical, its real-world implications are severe.
What is Pointer Authentication?
To understand the threat, think of Pointer Authentication as a sophisticated tamper-proof seal on a software instruction.
The Pointer: In code, a pointer is like a digital address that tells the processor where to find the next instruction or piece of data to execute.
The Authentication (PAC): Pointer Authentication Codes (PAC) are a security feature on Apple’s A- and M-series chips. They cryptographically “sign” these pointers with a unique key. Before the processor follows the pointer’s instruction, it checks this signature.
The Bypass: The vulnerability CVE-2023-38606 reportedly leaked the crucial PAC key from the hardware. With this key, an attacker can forge the signature on a malicious pointer, tricking the processor into believing it’s legitimate. This allows them to hijack the very core of the device’s operation.
This flaw was chained with a second vulnerability, CVE-2023-37450, a remote code execution bug in the WebKit browser engine.
The Attack Chain: How It Worked
The combination of these flaws created a “one-two punch” for a potent, no-click exploit. The attack can be broken down into a clear sequence of stages:
1: Initial Compromise (via WebKit)
-
Action: The victim clicks a malicious link or visits a compromised website.
-
Exploit: The site contains code that exploits CVE-2023-37450, a flaw in the WebKit engine that powers Safari and all in-app browsers.
-
Result: The malicious code breaks out of the browser’s security “sandbox,” giving the attacker a initial foothold on the device.
2: Privilege Escalation (via Kernel)
-
Action: The attacker, now with a foothold, activates the second, more critical exploit.
-
Exploit: They leverage CVE-2023-38606 to leak the device’s unique PAC key from memory.
-
Result: With this key, they can disable Pointer Authentication, bypass the CPU’s core security, and elevate their privileges to kernel level—the highest possible authority on the device, equivalent to having master keys to the entire operating system.
3: Full Device Control
-
Action: With kernel-level access, the attacker has no restrictions.
-
Result: They can silently install powerful spyware (e.g., like Pegasus), monitor all activity (messages, calls, camera, location), and maintain persistent control over the device, all completely hidden from the user.
This is called a “zero-click” (0-click) exploit because the victim doesn’t need to download an app or even click a link; merely receiving a message or visiting a website could have been enough to trigger the entire attack sequence.
Who is Behind This? The NSO Group Connection
While Apple did not name the attackers, the sophistication and nature of the exploit strongly point to the work of mercenary spyware companies like the infamous NSO Group, creators of the Pegasus spyware.
-
Targeted Attacks: These exploits are typically not used in widespread, random attacks. They are “zero-day” (previously unknown) and extremely valuable, often costing millions of dollars. They are weaponized by nation-states to target specific individuals: journalists, political dissidents, human rights activists, and government officials.
-
Pegasus-like Capabilities: The ability to compromise a device with no user interaction is a hallmark of advanced spyware like Pegasus.
The discovery and patching of this flaw are attributed to cybersecurity researchers at organizations like Citizen Lab and Google’s Threat Analysis Group (TAG)—groups dedicated to uncovering these digital weapons used against high-risk targets.
Conclusion: Don’t Delay, Update Today
This incident serves as a critical reminder of the evolving digital threat landscape. Even the most secure platforms like Apple’s are in a constant arms race against highly resourced and sophisticated adversaries.
The silver lining is that Apple found the flaw and fixed it quickly. The patch is now available to everyone. The responsibility now shifts to the user.
Your action is the final step in the security chain. By taking ten minutes to update your devices, you are slamming the door shut on one of the most advanced types of cyberattacks known today. Protect your privacy, your data, and your device by installing the latest update now.
