WebKit Fleet Dragnet

March 10, 2026. A zero-click-looking WebKit crash hits two executive iPhones before the 26.5 fleet window. You trace the lure, crash logs, device rings, and wipe evidence.

Type

Defensive / IR

Difficulty

Intermediate

Era

2020s

Time

9 min

Briefing

The attacker sends a conference agenda link through an executive chat. The browser crashes, the device beacons to an unapproved host, and MDM has to move faster than the normal rollout ring. This exhibit is logs and device state only: no payloads, no exploit recipe.

Your role

Apple platform engineer validating deferrals before the fleet update wave.

Objective

Follow the simulated mobile incident from link click to WebKit crash to MDM containment, then prove the wrong devices did not get deferred.

Terminal environment

user: responder
host: mdm-build-03
cwd: /home/mdm/surge-mar10
steps: 8

Enter the terminalAbout 9 minutesSafe simulation

Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.