Security & Privacy

Apple’s second Rapid Security Response for macOS, iOS (and its re-release)

Posted on by

On Monday, July 10, Apple released its second-ever series of Rapid Security Response (RSR) updates for macOS Ventura, iOS 16, and iPadOS 16, to address an “actively exploited” vulnerability.

But shortly after the updates began to roll out, Apple halted them due to reports of breaking some popular Web sites.

Apple re-issued the update on Wednesday, July 12, which both patches the original vulnerability and resolves the bug that was introduced in the July 10 releases of the RSR.

Let’s break down everything we know about these updates, and why you should install them urgently.

In this article:

Apple addresses WebKit zero-day vulnerability in July 10 RSR

Apple addressed one “actively exploited” (i.e. in-the-wild) vulnerability in this week’s updates. The WebKit vulnerability (CVE-2023-37450) was addressed for all supported versions of macOS (Ventura, Monterey, and Big Sur), as well as iOS 16 and iPadOS 16.

WebKit

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

CVE-2023-37450: an anonymous researcher

Unsurprisingly, given that the vulnerability was reported by an anonymous researcher, little else is known about this WebKit bug. No additional details are currently available from third parties.

What went wrong with the “(a)” versions of the RSR?

Apple’s initial “(a)” RSR patches reportedly included an odd User Agent string, which caused a handful of popular sites to not render correctly. This reportedly included several Meta properties (Facebook, Instagram, and WhatsApp) as well as Zoom.

Every browser has a User Agent string that identifies itself to sites you visit, so sites can offer a version of the page most appropriate for that specific browser.

Within an hour or two of starting to roll out its second RSR, Apple pulled down the update, and it was no longer available to devices that hadn’t installed it yet.

An Apple support page suggested removing the “(a)” version patches for users who were having trouble. Apple advised waiting for “(b)” versions which would supposedly be available soon to address the newly introduced bug and re-patch the vulnerability.

Apple re-releases the RSR on July 12 as “(c)” versions

On Wednesday, July 12, Apple re-released the Rapid Security Response as macOS Ventura 13.4.1 (c), iOS 16.5.1 (c), and iPadOS 16.5.1 (c).

It’s unclear why Apple skipped the “(b)” designation that it claimed it would use for the re-release. Perhaps a “(b)” release was used in internal testing and turned out to not work as intended, so Apple opted to use a different moniker for the public re-issuance.

How to get the Rapid Security Response update

There have not been any common problems with the “(c)” versions of this Rapid Security Response, so now is the best time to install the updates, if you haven’t already done so.

Users of macOS Ventura can get this update by going to System Settings > General > Software Update.

If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you must first upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there. After installing the latest version of macOS Ventura, check for updates again to get the RSR.

If you have an iPhone with iOS 16 or an iPad with iPadOS 16, you can also get the update by going to Settings > General > Software Update.

If your device still has iOS or iPadOS 15 installed and it’s compatible with 16, you’ll need to first upgrade to the latest version of 16 and then check again for the RSR.

After installing the update, the OS version number will include “(c)” at the end, as follows:

  • macOS Ventura 13.4.1 (c)
  • iOS 16.5.1 (c)
  • iPadOS 16.5.1 (c)

Notably, older versions of Apple’s operating systems do not support the Rapid Security Response feature.

macOS Monterey and macOS Big Sur also got Safari 16.5.2 updates

Interestingly, Apple released Safari 16.5.2 for macOS Monterey and macOS Big Sur in tandem with the Rapid Security Response. The first time Apple released an RSR, on May 1, the company waited until May 18 before patching the two actively exploited WebKit vulnerabilities for the two previous macOS versions.

The update is available in System Preferences > Software Update on Macs running macOS Monterey or macOS Big Sur.

It’s important to note that, while Apple released this security update simultaneously with the RSR, Apple has a history of not always patching some vulnerabilities for previous macOS versions. Additionally, even when Apple does patch vulnerabilities in older macOS versions, it often does so after a seemingly arbitrary delay. For maximum security, therefore, it’s critical to stay on the latest version of macOS at all times.

What about watchOS, tvOS, and other Apple OSes?

Apple’s other operating systems, which also include WebKit, have not been patched yet.

Other operating systems that might be impacted by the actively exploited WebKit vulnerability may include watchOS 9 and tvOS 16.

Apple sometimes releases incomplete patches for iOS 15 and iPadOS 15. As recently as January 2023, Apple even released a patch for iOS 12, although that may have been the final incomplete patch for the very outdated OS. The company has also released a single patch for a single vulnerability in watchOS 8 for Apple Watch Series 3 while leaving other actively exploited vulnerabilities unpatched.

Key takeaways

If you get nothing else out of this article, here are some key points:

  • Apple released urgent security updates this week; check for and install updates on your Macs, iPhones, and iPads as soon as possible.
  • At this point, macOS Ventura, iOS 16, and iPadOS 16 are the only safe operating systems to use on Macs, iPhones, and iPads, respectively.
    • If you have a Mac for which Apple doesn’t officially support Ventura, you may be able to upgrade it anyway.
    • If you have an older iPhone or iPad that isn’t compatible with 16.x, or any model of the discontinued iPod touch, buying a new device is the safest option.
  • Watch for possible updates for watchOS 9 and tvOS 16 (and perhaps for older versions of iOS or watchOS—although that’s far from guaranteed) in the coming weeks.

It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple either releases a Rapid Security Response or warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.

If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version for now, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.

Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.

Should you back up your iPhone to iCloud or your Mac? Here’s how to do both

See also our related article on how to check your macOS backups to ensure they work correctly.

How to Verify Your Backups are Working Properly

How can I learn more?

On episodes 300 and 301 of the Intego Mac Podcast, we talked about the initial and re-released versions of Apple’s second Rapid Security Response, respectively.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →