We’ve written about the uncertainty of Apple’s security update process many times before.
We’ve had urgent updates accompanied by email notifications that warned us of zero-day bugs that needed fixing right away, because crooks were already onto them…
…but without even the vaguest description of what sort of criminals, and what they were up to, which would at least help to round out the story.
Our approach has therefore been simply to assume the worst, and to infer that the story that Apple wasn’t telling ran something like this: “Devices analysed in the wild found to have hidden spyware implanted by unknown threat actors.”
And we’ve therefore followed our own rhyming advice of: Do not delay/Simply do it today.
We’ve had updates arrive for the very latest macOS and iOS versions, but with nothing for earlier but widely-used and still-supported versions, with no mention of whether those devices were immune by good fortune, at risk but left in limbo for a while, or at risk but never going to be fixed.
Sometimes, those older versions have received their own patches for exactly the same zero-day holes, without explenation, possibly several days or weeks later.
At other times, the next updates for those older versions have at least implied that the zero-day holes didn’t affect them after all.
Enter the Rapid Security Response
Well, today (which just happens to be a public holiday in the UK, as we celebrate Beltane and the approximate halfway point between vernal equinox and summer solstice), we received a brand new sort of update notification for both our Mac and our iPhone.
This one announced what Apple calls a Security Response, tagged not with a new version number, but with a letter in round brackets after the existing version number.
For macOS Ventura, we were offered version 13.3.1 (a) and for our iPhone, we were offered 16.4.1 (a).
On both devices, there was a brand new URL that linked not to Apple’s usual HT201222 Security Updates portal (which hasn’t been updated since 2023-04-12 – we checked), but to a brand new page named HT201224, entitled Rapid Security Responses:
Rapid Security Responses are a new type of software release for iPhone, iPad, and Mac. They deliver important security improvements between software updates — for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist “in the wild.”
We couldn’t help but smile at the choice of words, as we suspect you will too.
The well-known and widely-understood phrase in the wild inserted is stuck between air-quotes; the phrase zero-day is avoided entirely, and any possible in-the-wildness is waved away as might have been exploited, and left unadmitted with the words reported to exist.
Who gets these patches?
As Apple notes, this sort of rapid patch is the firt of its sort: New Rapid Security Responses are delivered only for the latest version of iOS, iPadOS and macOS — beginning with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1.
So, at least we know that there aren’t supposed to be updates right noe for iOS and iPadOS 15, or for macOS 11 and 12 (Big Sur and Monterey), because those versions don’t support the this new rapid-patching system.
But that’s all we know, because what you see above is, as the saying goes, all she wrote.
What to do?
There are no release notes to go with the 13.1.1 (a) and 16.4.1 (a) patches for macOS and iOS/iPadOS, so the parts of the system needed patching, and the nature of the vulnerabilities that were fixed, are left unsaid.
The HT201224 web page invites us to assume that this sort of emergency fix will be use to patch serious WebKit or kernel-level bugs (the very sort that malware implanters and spyware operators love to exploit), but just how dangerous and exploitable the unknown bugs are in this case is, obviously, unknown.
Nevertheless, given that these Rapid Security Responses sound very much like zero-day anti-spyware fixes, and that Apple is at least clear that they relate to “important security improvements”, we went ahead with them, forcing an update of our devices right away.
- On our Mac, the process was quick – much, much quicker than a typically system update, taking about two minutes altogether, including waiting 60 seconds for a reboot to start. Our system now indeed reports that it’s running macOS 13.3.1 (a).
- On our iPhone, we weren’t so fortunate. As reported by some commenters on Naked Security, our update downloaded OK, but failed with a notification and a popup saying, “iOS Security Response 16.4.1 (a) failed verification because you are no longer connected to the internet.”
Ironically, we were happily browsing and emailing at the time, so the apps on our device didn’t seem to have any trouble connecting to the internet.
We tried logging into our App Store account (we normally login only to get app updates, which do require an authenticated connection, as explicitly noted by the App Store app), but that made no difference.
Retrying didn’t help either.
Have you updated yet, and if so, how did you get along with the process?
Update. About an hour after we first tried installing the update on our phone, we had another go. This time the update verification succeeded, our phone instantly rebooted and the Rapid Security Response was installed and the reboot completed within a few tens of seconds, rather than the usual tens of minutes or longer. [2023-05-01T20:00:00Z]