Apple releases, quickly pulls Rapid Security Response update for 0-day WebKit bug

  News, Security
image_pdfimage_print
Apple releases, quickly pulls Rapid Security Response update for 0-day WebKit bug

Yesterday, Apple published a new Rapid Security Response update for iOS 16, iPadOS 16, and macOS Ventura to patch yet another actively exploited WebKit code execution bug. But shortly after installation, users began having issues accessing certain websites, and Apple has apparently pulled the update to fix the problem.

According to MacRumors, affected sites include Facebook, Instagram, WhatsApp, and Zoom, which began showing warning messages about not being supported following the update.

Luckily for anyone who has installed it, Rapid Security Response updates can be removed just as quickly as they were installed; on iOS, navigate to the About page in the Settings app, tap on your iOS version, and then tap “Remove Security Response.”

Removing a Rapid Security Response update on an iPhone running iOS 16.5.1.
Removing a Rapid Security Response update on an iPhone running iOS 16.5.1.
Andrew Cunningham

The benefit of Rapid Security Response updates is that they’re small in size and quick to install. The updates Apple has released so far have required a restart on my devices, but total downtime was much less than it was for a typical software update. This is because Apple has stored many Safari and WebKit components outside of the main Signed System Volume (SSV), a tamper-proof read-only volume for most system files that must be mounted separately, patched, and re-sealed every time most system updates are installed.

The downside of Rapid Security Response updates is that they may not be tested as thoroughly as some system updates; Apple is currently on its fifth developer betas of iOS 16.6 and macOS 13.5, and both updates have been in testing since mid-May. Though you’ll typically want to install them quickly because the bugs they’re patching tend to be severe, you may occasionally run into problems.

After a restart, the OS will let you know that the update has been removed.
After a restart, the OS will let you know that the update has been removed.
Andrew Cunningham

WebKit vulnerabilities in iOS tend to be especially severe since any app that wants to render web content needs to use a webview powered by the built-in WebKit engine used by Safari. This includes third-party browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, which can’t use their own native rendering engines on iOS or iPadOS the way they can on macOS, Windows, or other platforms. Apple has long maintained that this restriction improves security on the platform.

Apple announced the Rapid Security Response feature as part of iOS 16 and macOS Ventura last June but didn’t actually start using the feature publicly until a couple of months ago. We’ve contacted Apple to ask if and when the removed Rapid Security Response update will be fixed and rereleased and will update the article if we get an answer.

https://arstechnica.com/?p=1952750