Apple is releasing a slew of updates for its latest operating systems today, including iOS and iPadOS 17.1, macOS Sonoma 14.1, watchOS 10.1, and others. The company is also releasing security updates for a few previous-generation operating systems, so that people who aren’t ready to upgrade (and older devices that can’t upgrade) will still be protected from new exploits.

Those updates include iOS and iPadOS 16.7.2 and 15.8, macOS Ventura 13.6.1, macOS Monterey 12.7.1, and the Safari 17.1 update for both of those macOS versions. At least for now, the iOS and iPadOS 16 updates cover older iPhones and iPads that can’t run iOS 17 and newer devices whose owners simply don’t want to install iOS 17 yet. Apple will eventually stop supporting newer hardware with iOS 16 security updates, but for now, the grace period is still in effect.

This is the first security update that Apple has delivered for iOS 15 since mid-September, suggesting that the company plans to keep supporting 2021’s iOS release with continued security updates for at least a while longer. The iOS 15.8 update will only run on phones and tablets that can’t install iOS 16 or 17, including the iPhone 6S, the iPhone 7, the original iPhone SE, the iPad Air 2, and the last iPod Touch.

Apple doesn’t publish official end-of-life notices for any of its software, so software updates for older OSes generally end with little notice. Apple at least behaves predictably with macOS; Apple provides security and feature updates to the current version (in this case, macOS 14 Sonoma) along with Safari and security updates to the two previous versions. This policy remains unwritten, but Apple has stuck to it for decades, so you can plan around it with some confidence.

There’s less of a track record for iOS and iPadOS. It used to be that Apple didn’t update older versions at all, outside of extremely rare one-off fixes for specific problems. But Apple did provide regular security updates for iOS 12 for close to two years after it was replaced, the same timeline it uses for Mac updates. We haven’t had another data point since then—everything that ran iOS 13 and 14 could also run iOS 15, so Apple didn’t provide extended security updates for those two versions.

Today’s release doesn’t confirm that Apple plans another full year of iOS 15 updates, but it is a sign that Apple plans to treat old iOS releases the same way it treats macOS; rolling over from 15.7.x to 15.8.x also follows the numbering pattern Apple has used for the last few macOS releases.

As of May 30, Apple’s statistics show that 13 percent of all active iPhones and 20 percent of active iPads were running iOS 15. Of those, a fair number are newer devices that can be updated to versions 16 and/or 17. But with Apple’s sales volumes, that still leaves millions of devices that can benefit from continued iOS 15 security updates. If you hang on to hardware for a long time, or if you hand devices down to kids or other family members for extended use, it’s worth keeping track of what operating systems Apple is still actively supporting.

Devices that stop getting security updates will continue to function, and app developers can choose to target older iOS versions for as long as they want. But it will gradually become less safe to use them on the Internet, and new app updates and websites will gradually leave them behind.

Regardless, Apple has said in the past that only its latest operating systems are guaranteed to be fully patched. Sometimes older versions get the same patches later, and sometimes they don’t get patches at all, even if they are being actively updated.

Case in point: the iOS 15.8 release lists a single kernel-level security problem, CVE-2023-32434, while the iOS 16.7.2 update fixes 17 vulnerabilities throughout the operating system, and iOS 17.1 fixes 21. Sometimes older OSes aren’t affected by all the same vulnerabilities as newer ones, but this is also information Apple doesn’t usually provide.

https://arstechnica.com/?p=1978048

Apple has released iOS 17 and iPadOS 17 (and their first minor patch, version 17.0.1) to the public this week, and by most accounts, it’s a fairly mild and stable update that doesn’t seem to be breaking much. But a few years ago, as you might recall, Apple made a change to how it handles operating system transitions—iOS 16 will keep getting updates for a short stretch so that people who want to wait a bit before they upgrade can do so without missing important security updates.

The iOS and iPadOS 16.7 update covers all devices that could run version 16, including older stuff like the iPhone 8, iPhone X, and first-gen iPad Pro that can’t be upgraded to version 17. In a couple of months, if precedent holds, newer devices will have to upgrade to keep getting security fixes, while iOS 16 updates will continue to support older devices for at least another year.

On the Mac side, Apple continues releasing security updates for operating systems for two years after they’re replaced by a new version. For the last year, that has meant that versions 11, 12, and 13 (Big Sur, Monterey, Ventura) have all been getting patches. Now that version 14 (Sonoma) is around the corner, version 11 will stop being updated.

There’s just not as much precedent for this in iOS and iPadOS. After iOS 13 dropped support for a substantial group of iPhones, including popular models like the iPhone 6, Apple released fairly regular security updates for iOS 12 for around two years, similar to how it handles Mac updates. Apple could keep releasing security updates for iOS 15 and iOS 16 this year.

But the company rarely if ever elaborates on its update timelines or plans for the future, so we likely won’t know for sure until we’ve seen another round or two of security updates. The most recent update for iOS 15, version 15.7.9, was released earlier this month.

https://arstechnica.com/?p=1970394

Apple has released security updates for iOS, iPadOS, macOS, and watchOS today to fix actively exploited zero-day security flaws that can be used to install malware via a “maliciously crafted image” or attachment. The iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 updates patch the flaws across all of Apple’s platforms. As of this writing, no updates have been released for older versions like iOS 15 or macOS 12.

The CVE-2023-41064 and CVE-2023-41061 flaws were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Also dubbed “BLASTPASS,” Citizen Lab says that the bugs are serious because they can be exploited just by loading an image or attachment, which happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps. These bugs are also called “zero-click” or “clickless” vulnerabilities.

Citizen Lab also said that the BLASTPASS bug was “being used to deliver NSO Group’s Pegasus mercenary spyware,” the latest in a long line of similar exploits that have been used to infect fully patched iOS and Android devices.

Users worried about these kinds of flaws can mitigate them proactively by enabling Lockdown Mode on their iOS and macOS devices; among other things, it blocks many attachment types and disables link previews, the kinds of attack vectors that attackers can use to exploit these “clickless” vulnerabilities.

“We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack,” Citizen Lab said.

These updates will likely be some of the last to be released ahead of Apple’s September product announcement event next week, where we expect to get release dates for iOS 17, iPadOS 17, and possibly other software.

https://arstechnica.com/?p=1966414

Yesterday, Apple published a new Rapid Security Response update for iOS 16, iPadOS 16, and macOS Ventura to patch yet another actively exploited WebKit code execution bug. But shortly after installation, users began having issues accessing certain websites, and Apple has apparently pulled the update to fix the problem.

According to MacRumors, affected sites include Facebook, Instagram, WhatsApp, and Zoom, which began showing warning messages about not being supported following the update.

Luckily for anyone who has installed it, Rapid Security Response updates can be removed just as quickly as they were installed; on iOS, navigate to the About page in the Settings app, tap on your iOS version, and then tap “Remove Security Response.”

The benefit of Rapid Security Response updates is that they’re small in size and quick to install. The updates Apple has released so far have required a restart on my devices, but total downtime was much less than it was for a typical software update. This is because Apple has stored many Safari and WebKit components outside of the main Signed System Volume (SSV), a tamper-proof read-only volume for most system files that must be mounted separately, patched, and re-sealed every time most system updates are installed.

The downside of Rapid Security Response updates is that they may not be tested as thoroughly as some system updates; Apple is currently on its fifth developer betas of iOS 16.6 and macOS 13.5, and both updates have been in testing since mid-May. Though you’ll typically want to install them quickly because the bugs they’re patching tend to be severe, you may occasionally run into problems.

WebKit vulnerabilities in iOS tend to be especially severe since any app that wants to render web content needs to use a webview powered by the built-in WebKit engine used by Safari. This includes third-party browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, which can’t use their own native rendering engines on iOS or iPadOS the way they can on macOS, Windows, or other platforms. Apple has long maintained that this restriction improves security on the platform.

Apple announced the Rapid Security Response feature as part of iOS 16 and macOS Ventura last June but didn’t actually start using the feature publicly until a couple of months ago. We’ve contacted Apple to ask if and when the removed Rapid Security Response update will be fixed and rereleased and will update the article if we get an answer.

https://arstechnica.com/?p=1952750

When it announced iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer, one of the features Apple introduced was something called “Rapid Security Response.” The feature is meant to enable quicker and more frequent security patches for Apple’s newest operating systems, especially for WebKit-related flaws that affect Safari and other apps that use Apple’s built-in browser engine.

Nearly a year after that WWDC and more than seven months after releasing iOS 16 in September, Apple has finally issued a Rapid Security Response update. Available for iOS and iPadOS devices running version 16.4.1 or Macs running version 13.3.1, the update adds an (a) to your OS version to denote that it’s been installed.

At this point, it’s unclear whether Apple intends to release more information about the specific bugs patched by this Security Response update; the support page linked to in the update is just a general description of Rapid Security Response updates and how they work, and the Apple’s Security Updates page hasn’t been updated with more information as of this writing.

Apple has released several Rapid Security Response updates to iOS and macOS beta users before now, including during iOS 16.4’s beta phase, but it has never released one to the public until today. It’s possible that the updates released to beta users were simply testing the update mechanism rather than applying meaningful security patches.

As detailed in our macOS Ventura review, the Rapid Security Response feature required significant under-the-hood changes to how the encrypted, sealed system volumes in iOS and macOS normally work. In previous OS versions, all system files were on a signed system volume (SSV), and any change to the files required the entire system volume to be loaded as a snapshot, patched, resealed, and then loaded the next time the device reboots.

This setup protects system files from tampering, but the downsides are increased update download sizes, longer update times, and mandatory reboots, something users will often put off to avoid interrupting what they’re trying to use their computers for. The iOS 16 and macOS Ventura updates move some system files outside of the SSV into still-encrypted but smaller and more compartmentalized extensions of the SSV. These “cryptexes” can be updated without modifying the main SSV.

Rapid Security Response updates won’t always come without reboots—today’s update required a reboot of my M1 MacBook Air and iPhone 13 Pro—but these did have much smaller file sizes and installation times than the 16.4.1 and 13.3.1 updates that Apple released earlier this month. The iOS 16.4.1 (a) update was only 85.7MB on my phone, while the 16.4.1 update was several hundred MB (this will vary from device to device).

Rapid Security Response updates can be disabled in Settings without modifying your settings for downloading and installing other kinds of iOS and macOS updates. The updates can also be removed post-installation.

Today’s update initially threw an error message for people who attempted to install it, but as of this story’s publication, it seems like Apple fixed the problem.

https://arstechnica.com/?p=1935658

Apple plans to unveil a personal journaling app at the Worldwide Developers Conference in June, according to a Wall Street Journal report. The app will be pre-installed on all iPhones that run iOS 17, and it will deeply integrate with location services, contacts, and more on the user’s phone.

The WSJ  based its reporting on analysis of internal Apple documents about the product. Apple plans to position the app (which is codenamed “Jurassic”) as a mental health tool, noting research that shows regular journaling can help with depression and anxiety.

Jurassic (the name will surely be changed before launch) will be able to look at data stored locally on your phone to determine what a typical day looks like, with access to your contacts, your location, workouts, and more. It will make recommendations to users about what they might journal about that, including when the app detects behavior that is outside of the normal routine.

It will even offer “All Day People Discovery,” which will track the user’s proximity to others, drawing distinctions between work colleagues and friends.

This kind of integration with other pre-installed apps and user data will set the app apart from other journaling options on the iPhone, potentially making it difficult for them to compete. The WSJ report includes quotes from Paul Mayne, founder of the popular third-party iPhone journaling app Day One, which was acquired by Auttomatic in 2021.

Mayne echoes the sentiment of several app developers who have been frustrated when Apple launched in-house competitors to the apps they have introduced to the ecosystem, often copying features those apps innovated and adding functionality that only Apple can offer, per the iPhone’s privacy and security policies and APIs.

Apple’s documentation for Jurassic is careful to put user privacy and security at the center of the design, and most or all of the user tracking data the app uses will stay locally on each user’s iPhone and, at least in some cases, will not be retained for more than a few weeks.

Apple’s privacy-focused policies and messaging seem altruistic—the company has left money on the table in its commitment to pro-privacy policies before. But the policies serve Apple in two key ways beyond happy customers: they provide a clear differentiation from competitors like Google and Meta in the battle for public opinion in marketing and public relations, and they keep third-party apps from having the same kind of access to user data that Apple does.

When Apple seeks to replace or compete with a third-party app, it may sometimes have greater access to user data to fuel features than those third-party developers.

The documents seen by the Journal’s reporters did not specify whether Apple would charge for the app. It’s unlikely to be a premium downloaded or ad-supported, but Apple has charged users recurring subscription fees for some features and services in the past.

https://arstechnica.com/?p=1933618

Apple has released bug fix and security updates for several of its operating systems, including iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1.

The iOS and iPadOS updates don’t add any new features. Their main purpose is to address two separate major security vulnerabilities, and the release notes include two big fixes.

Apple details the bug fixes as follows:

• Pushing hands emoji does not show skin tone variations
• Siri does not respond in some cases

Some users have been complaining vocally about the Siri bug, and Apple says it shouldn’t be a problem anymore. As for the security updates, Apple says both vulnerabilities opened the door to arbitrary code execution, and both have reportedly been actively exploited. The company’s security notes say:

IOSurfaceAccelerator

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.

The macOS update addresses the same security vulnerabilities, and it also fixes the same bug with skin tones in emojis. But it also fixes a bug that impacted the feature that allows you to unlock your Mac with your Apple Watch.

These updates come just 10 days after Apple released iOS 16.4 and macOS Ventura 13.3. Those major updates added new emojis, introduced expanded accessibility features, and fixed several bugs.

Apple is expected to release at least one more major update for iOS 16, dubbed iOS 16.5, before iOS 17 is introduced this fall. The company will detail the features coming to iOS 17 and macOS 14 at its Worldwide Developers Conference, which begins June 5.

https://arstechnica.com/?p=1930058

Apple released new updates for most of its software platforms today, including macOS Ventura 13.3, iOS 16.4, iPadOS 16.4, tvOS 16.4, and watchOS 9.4.

These are all feature updates, meaning they actually add new functionality in addition to fixing bugs or addressing security vulnerabilities.

iOS and iPadOS 16.4 add a number of minor features. The headliner is (of course) 21 new emojis, like new heart colors, additional animals, and a shaking head. Beyond that, though, Apple says you’ll see improved voice isolation on phone calls, support for notifications from web apps that have been added to your phone’s home screen, new ways to weed out duplicates in your Photos library, and a number of bug fixes.

As far as accessibility goes, iOS and iPadOS can now automatically dim the screen when a video with flashing lights is playing, and VoiceOver is now supported in the maps found inside the Weather app.

tvOS 16.4 has only one listed change: the flashing lights protection feature we just mentioned for iOS and iPadOS.

On the Apple Watch side, watchOS 9.4 is mostly about bringing features to new regions. Cycle Tracking is now supported in Moldova and Ukraine, and AFib history has made it to those two regions as well, plus Colombia, Malaysia, and Thailand.

Then there’s the other big one: macOS Ventura 13.3. It includes several of the same features as iOS 16.4, including the new emoji, Photos duplicate album, and accessibility features. It also adds a “move background” feature in Apple’s visual note-taking app Freeform, which “isolates the subject in your image.” There are also some macOS-specific bug fixes, and you’ll find expanded language support for the keyboard.

iOS 16.4 release notes

This update includes the following enhancements and bug fixes:

• 21 new emoji including animals, hand gestures, and objects are now available in emoji keyboard
• Notifications for web apps added to the Home Screen
• Voice Isolation for cellular calls prioritizes your voice and blocks out ambient noise around you
• Duplicates album in Photos expands support to detect duplicate photos and videos in an iCloud Shared Photo Library
• VoiceOver support for maps in the Weather app
• Accessibility setting to automatically dim video when flashes of light or strobe effects are detected
• Fixes an issue where Ask to Buy requests from children may fail to appear on the parent’s device
• Addresses issues where Matter-compatible thermostats could become unresponsive when paired to Apple Home
• Crash Detection optimizations on iPhone 14 and iPhone 14 Pro models

macOS Ventura 13.3 release notes

This update includes new emoji along with other enhancements, bug fixes, and security updates for your Mac.

• 21 new emoji including animals, hand gestures, and objects are now available in emoji keyboard
• Remove background option in Freeform automatically isolates the subject in your image
• Photos duplicates album expands support to detect duplicate photos and videos in an iCloud Shared Photo Library
• Transliteration support for Gujarati, Punjabi and Urdu keyboards
• New keyboard layouts for Choctaw, Chickasaw, Akan, Hausa, and Yoruba
• Accessibility setting to automatically dim video when flashes of light or strobe effects are detected
• VoiceOver support for maps in the Weather app
• Resolves an issue where Trackpad gestures may occasionally stop responding
• Fixes an issue where Ask to Buy requests from children may fail to appear on the parent’s device
• Addresses an issue where VoiceOver may be unresponsive after using Finder

https://arstechnica.com/?p=1927095

Tired of QWERTY? Starting with iOS 16—which launched last month—the Apple iPhone now supports the 86-year-old Dvorak keyboard layout natively. Previously, Dvorak typing aficionados needed to install a third-party app to use the layout.

Dvorak uses a different arrangement of keys than the standard QWERTY layout with the aim of improving typing speed and ergonomic comfort. August Dvorak and William Dealey invented the layout in 1936 after studying the deficiencies of the QWERTY typewriter keyboard, which was already 60 years old at that point.

Apple and Dvorak have an interesting history. The company first included native Dvorak support for its computers in the US model of the Apple IIc, released in 1984. It included a special “Keyboard” button that would swap the layout between QWERTY and Dvorak logically, but the physical keycaps would need to be re-arranged to match if you needed a label reference.

Interestingly, Apple co-founder Steve Wozniak (“Woz”) learned Dvorak around 1993 and never looked back (he wasn’t involved with Dvorak on the Apple IIc, he says). In an email to Ars Technica, Woz recounted how he first learned Dvorak. “I was on a flight to Tokyo and I ran Mavis Beacon teaches typing in Dvorak mode,” he wrote. “I spent 5 hours learning it and never again looked at a QWERTY keyboard. That’s all it took. My son had already switched over successfully, and learned Dvorak in a short time and quickly got up to the same speed he typed in QWERTY in about a week.”

To use Dvorak on your iPhone, first make sure you’ve upgraded to iOS 16 or later. Next, open the Settings app and navigate to General > Keyboard > Keyboards, then tap your language and select “Dvorak” from the list. The next time you pull up the keyboard, you’ll see the different layout, with a home row that reads “AOEUIDHTNS”—exactly how August Dvorak would have liked it.

It’s worth noting that Dvorak’s purported speed improvements come from using 10 fingers to type, so if you’re just learning Dvorak, you might not see any speed improvements over QWERTY when typing with two fingers, such as your thumbs. However, longtime Dvorak users will likely be pleased.

“What I liked most about Dvorak then was the feeling of using less energy with your fingers,” Woz said. “Since iPhones came, I had to resort to QWERTY but it wasn’t in my brain anymore. I had been a very fast QWERTY typist my whole life, but now it’s gone. I have to look at the letters on my iPhone.”

Ars informed Wozniak of the native Dvorak support in iOS 16, and he replied, “OMG! Thank you very much!”

https://arstechnica.com/?p=1888644

Today, Apple released small software updates for the iPhone and Apple Watch. Dubbed iOS 16.0.3. and watchOS 9.0.2, the updates are mostly focused on addressing a handful of bugs that users have experienced since the launch of iOS 16 and watchOS 9 last month.

iOS 16.0.3 claims to fix an issue where iPhone 14 owners on phone calls via CarPlay could barely be heard by the person on the other end, and another issue where Mail “crashes on launch after receiving a malformed email.”

It also addresses notification delays and Camera app slowdown on iPhone 14 Pro models. Some users were complaining that the Camera app could take multiple seconds to launch in some cases, and they faced similar delays in switching modes within the app once it had launched.

The iPhone update doesn’t add any new features, but several are coming in iOS 16.1. That release is expected in the coming weeks alongside the new version of iPadOS and, presumably, one or more new iPad models.

For its part, watchOS 9.0.3 addresses interrupted audio in Spotify, syncing errors with Wallet and Fitness when setting up a new Watch, a microphone bug, and an issue with snooze alarm notifications not behaving as expected.

Both updates are available on all supported devices today. The full iOS release notes from Apple can be found below.

This update provides bug fixes and important security updates for your iPhone including the following:

• Incoming call and app notifications may be delayed or not delivered on iPhone 14 Pro and iPhone 14 Pro Max
• Low microphone volume can occur during CarPlay phone calls on iPhone 14 models
• Camera may be slow to launch or switch between modes on iPhone 14 Pro and iPhone 14 Pro Max
• Mail crashes on launch after receiving a malformed email

https://arstechnica.com/?p=1888631