Apple pushes first-ever 'rapid' patch – and rapidly screws up
Maybe you're just installing it wrong?
Apple on Monday pushed to some iPhones and Macs its first-ever rapid security fix.
This type of patch is supposed to be downloaded and applied automatically and seamlessly by the operating system to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss and thus leave their stuff vulnerable to attack.
As luck would have it, though, this first-of-its-kind patch didn't go off without a hitch. Some Cupertino fans reported problems actually getting the update.
"iOS Security Response 16.4.1 (a) failed verification because you are no longer connected to the internet," was the commonly reported failure message from the operating system, although users typically were able to apply the security update after a try or two.
Also: Apple hasn't released any notes alongside the rapid patch nor if the update patched a vulnerability that miscreants have already found and exploited. And as security analyst Will Dormann asked, will the bug(s) will eventually be assigned CVEs?
These Apple Rapid Security Response updates...They'll eventually get CVEs and descriptions, right? pic.twitter.com/IQqT6rALLo
— Will Dormann (@wdormann) May 1, 2023
Considering that some recent iOS and macOS updates covered zero-days that had already been exploited by snoops to deploy spyware on victims' devices, it's a good idea not to wait on installing this one latest fix, even if the installation process takes longer than it should.
Here's what we do know about the iGiant's first-ever "Rapid Security Response," according to Apple's May 1 advisory:
Rapid Security Responses are a new type of software release for iPhone, iPad, and Mac. They deliver important security improvements between software updates — for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist "in the wild."
Note: the quotation marks around "in the wild" are Apple's, not ours.
- Another zero-click Apple spyware maker just popped up on the radar again
- Apple squashes iOS, macOS zero-day bugs already exploited by snoops
- Apple, Google propose anti-stalking spec for Bluetooth tracker tags
- Update now: Google emits emergency fix for zero-day Chrome vulnerability
Also, Apple only pushes these new quick fixes to the latest versions of iOS, iPadOS and macOS beginning with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1. Customers with more venerable software will have to wait for normal software updates.
These latest fixes are supposed to be applied automatically by default (assuming they work), and once the update has been verified, it's denoted by a letter after the numbers, ie: macOS 13.3.1(a).
If you turn off this default setting (probably a bad idea in the long run), your device will receive the fixes when they are included in a regular OS update. ®