Earlier this month, Apple rolled out its first Rapid Security Response (RSR) update to the public, following extensive testing since the launch of iOS 16. Distinct from the primary iOS updates, RSR enables Apple to dispatch fixes for critical bugs that might be actively exploited, without the need to wait for the next scheduled update cycle.
Not as smooth as hoped
Despite the tests conducted on beta versions of iOS 16, early adopters encountered issues when attempting to install the update, facing an error message. However, they eventually managed to complete the installation process.
The notification users observed when their device failed to install the RSR. Source: Zack Whittaker / Tech Crunch
What’s in it?
Post-release, there was much speculation about the contents of the RSR. Apple indicated that these security responses could include patches for WebKit, the engine powering the Safari browser, and other crucial system libraries. It was quickly noted that there was a change in Safari’s build number, hinting at a potential WebKit vulnerability patch:
The only obvious change following installation of this RSR is that Safari has an incremented build number, from version 16.4 build 18615.1.26.11.23 to version 16.4 build 18615.1.26.110.1.
With the release of today’s iOS 16.5 update, these speculations have been confirmed.
The security content of the latest update addresses three WebKit vulnerabilities that were exploited in the wild. Two of these vulnerabilities, reported by an anonymous researcher, were included in the earlier RSR this month. The first vulnerability (CVE-2023-28204) involved an out-of-bounds read in WebKit that could disclose sensitive information, and the second (CVE-2023-32373) was a use-after-free issue that could lead to arbitrary code execution.
Thanks to the Rapid Security Response, Apple was able to patch devices weeks before the full update release, potentially preventing further victimization. The other zero-day not addressed in the earlier Rapid Security Response was reported by Google’s Threat Analysis Group and Amnesty International—suggesting a connection to the deployment of commercial spyware.
Sources
- What is a Rapid Security Response (RSR)?
- Apple has just released the first Rapid Security Response for Ventura
- About the security content of iOS 16.5 and iPadOS 16.5
- About Rapid Security Responses for iOS, iPadOS, and macOS
- Apple releases first ‘rapid’ security fixes for iPhones, iPads and Macs
- Apple releases second Rapid Security Response in iOS 16.4 beta