Apple issued an emergency Rapid Security Response (RSR) to address a malicious zero-day vulnerability spotted in fully-patched iPhones, iPads, and Macs – and then withdrew it after it appeared to have caused a serious bug in Safari.
The update from Apple, for devices running on iOS 16.5.1, iPadOS 16.5.1, or macOS Ventura 13.4.1, was designed to protect users from the CVE-2023-37450 vulnerability.
The urgent RSR patch has only been issued once before in the company's history. It is likely that it will be reissued as soon as the safari bug has been addressed.
Apple Releases Emergency Security Update, then Withdraws It
Apple released an urgent security patch to address a zero-day vulnerability that has been spotted on the latest versions of iOS, iPadOS, and macOS software.
The bug, known as CVE-2023-37450, puts un-patched users at risk of malware attacks by making it possible for bad actors to gain arbitrary code execution on targeted devices.
“This Rapid Security Response provides important security fixes and is recommended for all users” – Apple's security update
The vulnerability was first reported by an anonymous security researcher after being found in Apple Safari's WebKit browser engine, and is currently believed to be being exploited.
However, Apple withdrew the update shortly after it was originally issued.
Why was Apple Security Update Withdrawn?
The update appears to have been removed after users reported issues with using Safari after installing the latest patch – specifically, sites including Facebook, WhatsApp, Instagram, Zoom and others issued warnings about not being supported by the Safari browser.
Following this, Apple pulled the Rapid Security Response, presumably to iron out the Safari bug.
The update is an important one, and as such Apple is expected to reissue it as soon as the bugs have been resolved.
What is Apple's Rapid Security Response?
Apple has patched ten zero-day vulnerabilities so far in 2023, including three bugs earlier this month which were exploited to deploy Triangulation spyware on iPhones, and two bugs in April which involved high-risk targets.
However, Apple's Rapid Security Response is a new type of patch that has only been deployed two times in total.
According to Apple's own statement, its new RSR response delivers “important security improvements between software updates” and may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist in the wild.”
In contrast to general security patches, RSR appears to be deployed in high-stakes, urgent situations, when targets are already being exploited. They also require users to make updates themselves, instead of making changes to the software automatically.
How To Get the Security Update When Reissued
Fortunately, installing Apple's RSR security update is straightforward. If you have an iPhone or iPad, all you need to do is follow the steps below:
- Open your “General Settings”
- Go to “Software Update”
- Depending on your device, click “Download and Install” when you see “iOS Security Response Update 16.5.1 (a)” or “iPadOS Security Response Update 16.5.1 (a)
Mac user? Follow these steps instead:
- Open up “System Settings” on Apple's menu, and select “General”
- Go to “Software Update” and select “macOS Security Response Update 13.4.1 (a)” as available
After you click download, the hardware will then reboot to complete the installation.