On Monday, July 10, Apple released its second-ever series of Rapid Security Response (RSR) updates for macOS Ventura, iOS 16, and iPadOS 16, to address an “actively exploited” vulnerability.
But shortly after the updates began to roll out, Apple halted them due to reports of breaking some popular Web sites.
Apple re-issued the update on Wednesday, July 12, which both patches the original vulnerability and resolves the bug that was introduced in the July 10 releases of the RSR.
Let’s break down everything we know about these updates, and why you should install them urgently.
In this article:
Apple addressed one “actively exploited” (i.e. in-the-wild) vulnerability in this week’s updates. The WebKit vulnerability (CVE-2023-37450) was addressed for all supported versions of macOS (Ventura, Monterey, and Big Sur), as well as iOS 16 and iPadOS 16.
WebKit
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: The issue was addressed with improved checks.
CVE-2023-37450: an anonymous researcher
Unsurprisingly, given that the vulnerability was reported by an anonymous researcher, little else is known about this WebKit bug. No additional details are currently available from third parties.
Apple’s initial “(a)” RSR patches reportedly included an odd User Agent string, which caused a handful of popular sites to not render correctly. This reportedly included several Meta properties (Facebook, Instagram, and WhatsApp) as well as Zoom.
Every browser has a User Agent string that identifies itself to sites you visit, so sites can offer a version of the page most appropriate for that specific browser.
Within an hour or two of starting to roll out its second RSR, Apple pulled down the update, and it was no longer available to devices that hadn’t installed it yet.
An Apple support page suggested removing the “(a)” version patches for users who were having trouble. Apple advised waiting for “(b)” versions which would supposedly be available soon to address the newly introduced bug and re-patch the vulnerability.
On Wednesday, July 12, Apple re-released the Rapid Security Response as macOS Ventura 13.4.1 (c), iOS 16.5.1 (c), and iPadOS 16.5.1 (c).
It’s unclear why Apple skipped the “(b)” designation that it claimed it would use for the re-release. Perhaps a “(b)” release was used in internal testing and turned out to not work as intended, so Apple opted to use a different moniker for the public re-issuance.
There have not been any common problems with the “(c)” versions of this Rapid Security Response, so now is the best time to install the updates, if you haven’t already done so.
Users of macOS Ventura can get this update by going to System Settings > General > Software Update.
If your Mac is running macOS Mojave, Catalina, Big Sur, or Monterey, and your Mac is compatible with macOS Ventura, you must first upgrade to macOS Ventura by going to System Preferences > Software Update. If your Mac is running macOS High Sierra or older and is compatible with macOS Ventura, look for macOS Ventura in the Mac App Store and download it from there. After installing the latest version of macOS Ventura, check for updates again to get the RSR.
If you have an iPhone with iOS 16 or an iPad with iPadOS 16, you can also get the update by going to Settings > General > Software Update.
If your device still has iOS or iPadOS 15 installed and it’s compatible with 16, you’ll need to first upgrade to the latest version of 16 and then check again for the RSR.
After installing the update, the OS version number will include “(c)” at the end, as follows:
Notably, older versions of Apple’s operating systems do not support the Rapid Security Response feature.
Interestingly, Apple released Safari 16.5.2 for macOS Monterey and macOS Big Sur in tandem with the Rapid Security Response. The first time Apple released an RSR, on May 1, the company waited until May 18 before patching the two actively exploited WebKit vulnerabilities for the two previous macOS versions.
The update is available in System Preferences > Software Update on Macs running macOS Monterey or macOS Big Sur.
It’s important to note that, while Apple released this security update simultaneously with the RSR, Apple has a history of not always patching some vulnerabilities for previous macOS versions. Additionally, even when Apple does patch vulnerabilities in older macOS versions, it often does so after a seemingly arbitrary delay. For maximum security, therefore, it’s critical to stay on the latest version of macOS at all times.
Apple’s other operating systems, which also include WebKit, have not been patched yet.
Other operating systems that might be impacted by the actively exploited WebKit vulnerability may include watchOS 9 and tvOS 16.
Apple sometimes releases incomplete patches for iOS 15 and iPadOS 15. As recently as January 2023, Apple even released a patch for iOS 12, although that may have been the final incomplete patch for the very outdated OS. The company has also released a single patch for a single vulnerability in watchOS 8 for Apple Watch Series 3 while leaving other actively exploited vulnerabilities unpatched.
If you get nothing else out of this article, here are some key points:
It is advisable to update to the latest operating systems as soon as you reasonably can, especially when Apple either releases a Rapid Security Response or warns that there are “actively exploited” vulnerabilities in the wild. It’s important to get the benefits of new security fixes as quickly as possible to help you stay protected from hackers and malware.
If you have a Mac running macOS Monterey or Big Sur that’s compatible with Ventura, you may wish to update to the current Monterey or Big Sur version for now, and then as soon as practical, upgrade to macOS Ventura. Here’s why. Generally speaking, it is best to upgrade to the latest Apple OS versions quickly for security reasons. For maximum security, one cannot rely on any minimal security patches Apple may release for previous OS versions.
Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious
Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.
See also our article on how to back up your iPhone or iPad to iCloud and to your Mac.
Should you back up your iPhone to iCloud or your Mac? Here’s how to do both
See also our related article on how to check your macOS backups to ensure they work correctly.
On episodes 300 and 301 of the Intego Mac Podcast, we talked about the initial and re-released versions of Apple’s second Rapid Security Response, respectively.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
