We’ve written concerning the uncertainty of Apple’s safety replace course of many instances earlier than.
We’ve had pressing updates accompanied by electronic mail notifications that warned us of zero-day bugs that wanted fixing immediately, as a result of crooks have been already onto them…
…however with out even the vaguest description of what kind of criminals, and what they have been as much as, which might not less than assist to spherical out the story.
Our method has due to this fact been merely to imagine the worst, and to deduce that the story that Apple wasn’t telling ran one thing like this: “Devices analysed in the wild found to have hidden spyware implanted by unknown threat actors.”
And we’ve due to this fact adopted our personal rhyming recommendation of: Do not delay/Simply do it in the present day.
We’ve had updates arrive for the very newest macOS and iOS variations, however with nothing for earlier supported variations, with no point out of whether or not these units have been immune by luck, in danger however left in limbo for some time, or in danger however by no means going to be mounted.
Sometimes, these older variations have acquired their very own patches for precisely the identical zero-day holes, with out clarification, days or even weeks later.
At different instances, the subsequent updates for these older variations have not less than implied that the zero-day holes didn’t have an effect on them in any case.
Enter the Rapid Security Response
Well, in the present day (which simply occurs to be a public vacation within the UK, as we have fun Beltane and the approximate midway level between vernal equinox and summer time solstice), we acquired a model new type of replace notification for each our Mac and our iPhone.
This one introduced what Apple calls a Security Response, tagged not with a brand new model quantity, however with a letter in spherical brackets after the present model quantity.
For macOS Ventura, we have been provided model 13.3.1 (a) and for our iPhone, we have been provided 16.4.1 (a).
On each units, there was a model new URL that linked to not Apple’s regular HT201222 Security Updates portal (which hasn’t been up to date since 2023-04-12 – we checked), however to a model new web page named HT201224, entitled Rapid Security Responses:
Rapid Security Responses are a brand new kind of software program launch for iPhone, iPad, and Mac. They ship essential safety enhancements between software program updates — for instance, enhancements to the Safari net browser, the WebKit framework stack, or different essential system libraries. They can also be used to mitigate some safety points extra rapidly, reminiscent of points which may have been exploited or reported to exist “in the wild.”
We couldn’t assist however smile on the alternative of phrases, as we suspect you’ll too.
The well-known and widely-understood phrase within the wild is caught between air-quotes; the phrase zero-day is averted solely, and any doable in-the-wildness is waved away as might need been exploited, and left unadmitted with the phrases reported to exist.
Who will get these patches?
As Apple notes, this type of fast patch is the firt of its kind: New Rapid Security Responses are delivered just for the newest model of iOS, iPadOS and macOS — starting with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1.
So, not less than we all know that there aren’t purported to be updates proper noe for iOS and iPadOS 15, or for macOS 11 and 12 (Big Sur and Monterey), as a result of these variations don’t assist the this new rapid-patching system.
But that’s all we all know, as a result of what you see above is, because the saying goes, all she wrote.
What to do?
There are not any launch notes to go along with the 13.3.1 (a) and 16.4.1 (a) patches for macOS and iOS/iPadOS, so the elements of the system wanted patching, and the character of the vulnerabilities that have been mounted, are left unsaid.
The HT201224 net web page invitations us to imagine that this type of emergency repair shall be use to patch critical WebKit or kernel-level bugs (the very kind that malware implanters and adware operators love to take advantage of), however simply how harmful and exploitable the unknown bugs are on this case is, clearly, unknown.
Nevertheless, on condition that these Rapid Security Responses sound very very similar to zero-day anti-spyware fixes, and that Apple is not less than clear that they relate to “important security improvements”, we went forward with them, forcing an replace of our units immediately.
- On our Mac, the method was fast – a lot, a lot faster than a sometimes system replace, taking about two minutes altogether, together with ready 60 seconds for a reboot to begin. Our system now certainly studies that it’s operating macOS 13.3.1 (a).
- On our iPhone, we weren’t so lucky. As reported by some commenters on Naked Security, our replace downloaded OK, however failed with a notification and a popup saying, “iOS Security Response 16.4.1 (a) failed verification because you are no longer connected to the internet.”Ironically, we have been fortunately searching and emailing on the time, so the apps on our system didn’t appear to have any hassle connecting to the web.
We tried logging into our App Store account (we usually login solely to get app updates, which do require an authenticated connection, as explicitly famous by the App Store app), however that made no distinction.
Retrying didn’t assist both.
Have you up to date but, and in that case, how did you get together with the method?
Update. About an hour after we first tried putting in the replace on our cellphone, we had one other go. This time the replace verification succeeded, our cellphone immediately rebooted and the Rapid Security Response was put in and the reboot accomplished inside a couple of tens of seconds, relatively than the same old tens of minutes or longer. [2023-05-01T20:00:00Z]