On Monday, Jul 10, 2023, Apple released a new set of Rapid Security Release fixes, for only the second time since the RSR program began. These fixes were solely for macOS Ventura 13 and iOS 16. You can find the exact details within the links below:
- About the security content of Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1
- About the security content of Rapid Security Responses for macOS Ventura 13.4.1
Note: If you are deferring updates, that could prevent your devices from seeing these RSR Updates.
We published a detailed blog post about the introduction of these rapid security releases earlier, which you can find here. Also, we have a document that explains how you can manage these Updates here, if interested.
What Happened Next
The iOS 16.5.1, iPadOS 16.5.1, and macOS Ventura 13.4.1 Rapid Security Response updates fixed a WebKit vulnerability that Apple says may have been actively exploited. Unfortunately, it appears that the updates changed the Safari user agent to include an “(a),” leading some websites to break.
The issue is that the UserAgent string added “(a),” causing a large number of websites to report an unrecognized browser and display a mobile version, or nothing at all.
What do I do now?
Apple updated the release note (https://support.apple.com/en-us/HT213825) to indicate that they are aware of this issue and pulled the release. On July 10th, Apple released 13.4.1(c), effectively fixing the previous RSR.
You can revert the RSR build if necessary, but you may want to keep the devices on the most secure patch, at the expense they cannot access certain applications.
This is the first time an Apple Rapid Security Response includes release notes, however, it’s not yet confirmed if all future RSR updates will include release notes.
These vulnerabilities involve arbitrary code execution with WebKit when processing web content. It’s recommended that you update as soon as possible to avoid these actively exploited vulnerabilities. The update will require devices to restart.