Apple released a new version of its security update for macOS, iPadOS, and iOS on Thursday night. The update, called Rapid Security Response (RSR), had been withdrawn previously due to website compatibility issues. Popular platforms like Instagram and Zoom reported that the Safari browser patched with RSR was no longer supported. This was because Apple had made changes to the user agent string, causing websites to incorrectly read it.
Apple claims that the error has now been fixed in the update. Users can import the update via their system settings on Mac, iPad, and iPhone. It will also be distributed automatically in the coming weeks. The main reason for the update was to address a zero-day bug in the WebKit browser engine that Apple says has already been exploited. Certain manipulated websites could allow attackers to run code, although not with root rights. Apple stated that it is aware that the issue may have been actively exploited and credits the discovery to an anonymous individual with the CVE ID 2023-37450.
The RSR was initially sent to users on Monday evening but was quickly withdrawn and no longer distributed through software updates. Apple took three days to roll out the fix. The update is now labeled as “iOS Security Response 16.5.1 (c)” or “macOS Ventura Security Response 13.4.1 (c)”, ignoring the “(b)” internally. On iPhone and iPad, the update is relatively quick and does not require a complete restart. However, the setup may take a few minutes. On Mac, the update is slightly faster but requires a restart. Monterey and Big Sur have their own Safari update, labeled as 16.5.2, which does not appear to have been updated by Apple.
The purpose of RSRs is to address the reputation of security updates as being cumbersome, time-consuming, and requiring large amounts of storage space. Apple introduced rapid security measures in 2022 with macOS 13 and iOS/iPadOS 16. These lightweight security updates can be released separately from regular updates to quickly fix serious vulnerabilities. This allows Apple to react more promptly to known gaps without disrupting the planned development cycle. Additionally, users have the option to roll back updates if needed. In this case, the option to undo the first RSR 16.5.1(a) was helpful as it caused issues with important websites. Users can undo the update in their system settings but will no longer have the protection provided by the patch.
