rapid response —

Apple uses iOS and macOS Rapid Security Response feature for the first time

Rapid Security Response updates haven't been released to the public until today.

Macs running macOS Ventura.
Enlarge / Macs running macOS Ventura.
Apple

When it announced iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer, one of the features Apple introduced was something called "Rapid Security Response." The feature is meant to enable quicker and more frequent security patches for Apple's newest operating systems, especially for WebKit-related flaws that affect Safari and other apps that use Apple's built-in browser engine.

Nearly a year after that WWDC and more than seven months after releasing iOS 16 in September, Apple has finally issued a Rapid Security Response update. Available for iOS and iPadOS devices running version 16.4.1 or Macs running version 13.3.1, the update adds an (a) to your OS version to denote that it's been installed.

At this point, it's unclear whether Apple intends to release more information about the specific bugs patched by this Security Response update; the support page linked to in the update is just a general description of Rapid Security Response updates and how they work, and Apple's Security Updates page hasn't been updated with more information as of this writing.

Apple has released several Rapid Security Response updates to iOS and macOS beta users before now, including during iOS 16.4's beta phase, but it has never released one to the public until today. It's possible that the updates released to beta users were simply testing the update mechanism rather than applying meaningful security patches.

As detailed in our macOS Ventura review, the Rapid Security Response feature required significant under-the-hood changes to how the encrypted sealed system volumes in iOS and macOS normally work. In previous OS versions, all system files were on a signed system volume (SSV), and any change to the files required the entire system volume to be loaded as a snapshot, patched, resealed, and then loaded the next time the device reboots.

This setup protects system files from tampering, but the downsides are increased update download sizes, longer update times, and mandatory reboots, something users will often put off to avoid interrupting what they're trying to use their computers for. The iOS 16 and macOS Ventura updates move some system files outside of the SSV into still-encrypted but smaller and more compartmentalized extensions of the SSV. These "cryptexes" can be updated without modifying the main SSV.

Rapid Security Response updates should generally be smaller than other kinds of updates.
Rapid Security Response updates should generally be smaller than other kinds of updates.
Andrew Cunningham

Rapid Security Response updates won't always come without reboots—today's update required a reboot of my M1 MacBook Air and iPhone 13 Pro—but these did have much smaller file sizes and installation times than the 16.4.1 and 13.3.1 updates that Apple released earlier this month. The iOS 16.4.1 (a) update was only 85.7MB on my phone, while the 16.4.1 update was several hundred MB (this will vary from device to device).

Rapid Security Response updates can be disabled in Settings without modifying your settings for downloading and installing other kinds of iOS and macOS updates. The updates can also be removed post-installation.

Today's update initially threw an error message for people who attempted to install it, but as of this story's publication, it seems like Apple fixed the problem.

Channel Ars Technica