Apple recently introduced its new Rapid Security Response process, which allows the company to push out critical patches for key system components without a full-size operating system update. These patches typically deal with zero-day bugs that affect core software such as the Safari browser and WebKit. The reason these bugs are dangerous is that browsers fetch content from any source on the internet, and untrusted files supplied remotely by other people’s servers can be converted into viewable content and displayed as web pages that users can interact with.
Apple’s new Rapid Security Response patches were only available for the latest version of macOS and the latest iOS/iPadOS, leaving older devices in the dark. However, the new patches were quick to download and required only one super-quick reboot. After the latest update, Apple revealed that the Rapid Security Responses were there to fix two zero-days in WebKit, which could have allowed attackers to take over the entire browser or device.
Combining these zero-days would be equivalent to a home run for an attacker, as the first bug reveals the secrets needed to exploit the second bug reliably, and the second bug allows code to be implanted to exploit the third. Therefore, it is essential to make sure all devices are patched, even those that already received a Rapid Security Response at the start of March 2023.
After updating, users should check the version numbers to ensure they have the latest updates. It is also crucial to note that the WebKit patches are not bundled in with the operating system version update for macOS Big Sur and macOS Monterey but are supplied in a separate update package called Safari 16.5. It is important to keep devices updated to avoid being vulnerable to potential cyber attacks.