What Are Rapid Security Responses and Why Are They Important?

One of Apple’s promised features for iOS 16, iPadOS 16, and macOS 13 Ventura was a new type of update, the Rapid Security Response. The first of these updates have now shipped, so you can update to iOS 16.4.1 (a), iPadOS 16.4.1 (a), and macOS 13.3.1 (a) in Software Update. Apple hasn’t said what security vulnerabilities these updates address on either the Apple Security Updates page or the release note pages for iOS 16, iPadOS 16, and macOS 13, but realistically, the vast majority of users don’t care about such tweaky technical details. I’ve updated all three operating systems with no problems, and I encourage you to update as well.

So what’s a Rapid Security Response, and why are we seeing them now? Apple’s goal is to distribute important security fixes to users more quickly and encourage faster adoption, particularly when a vulnerability is being exploited in the wild. Although only Apple knows how long it takes for its user base to install security updates, it’s undoubtedly slowed by three factors:

• Download size: Although high-speed Internet connections are commonplace, many people still have slower connections that cause them to delay large updates.
• Installation time: More problematic is the downtime associated with installing an operating system update. We all schedule updates for when life circumstances permit.
• Update hesitancy: Some updates have introduced new problems, causing cautious users to delay updating until early adopters have reported success.

The first two factors stem from Apple’s move to the read-only Signed System Volume in macOS 11 Big Sur. As the inimitable Howard Oakley explains, changing the contents of the Signed System Volume requires installing the update on the System volume, making a cryptographically sealed snapshot, and restarting from that snapshot. Because of the many files that require updating for even minor changes, updates require large downloads and lengthy installation times.

Apple’s solution is to move components likely to need updating—Safari and its underlying WebKit foremost among them—outside of the Signed System Volume. That makes them easier to update but also more vulnerable. To maintain security for such external components, Apple introduced special disk images called cryptexes (cryptographically signed extensions). There’s almost no documentation of cryptexes apart from Howard Oakley’s exploration, where he says they’re stored on the Preboot volume and loaded early in the boot process, when they’re grafted into the parent file system such that their contents effectively become part of the system.

Rapid Security Response updates are also cryptexes, which theoretically allows them to be a fraction of the size of traditional security updates, and they should install in vastly less time, addressing the first two factors that delay update adoption.

Installing Rapid Security Responses

By default, all iPhones, iPads, and Macs running the latest operating systems allow Rapid Security Responses to be applied automatically. Theoretically, you shouldn’t notice them being installed unless a restart is required, which was true of all three of these updates. After restarting, iOS and iPadOS—but not macOS—posted a notification alerting the user to the update. I suspect Rapid Security Responses that don’t warrant restarts will also generate such notifications.

You can always tell if a Rapid Security Response has been installed because the version number in Settings > General > About or About This Mac will include a letter, as in iOS 16.4.1 (a). I presume Apple will increment the letter if multiple Rapid Security Responses ship before the next operating system update.

You can check to make sure Rapid Security Responses are set to be installed in:

• iOS/iPadOS: Go to Settings > General > Software Update > Automatic Updates, and look at “Security Responses & System Files.”
• macOS: Go to System Settings > General > Software Update, and click the ⓘ next to Automatic Updates. Then look at “Install Security Responses and system files.”

   

  

If you turn off automatic updates or avoid installing Rapid Security Responses when they become available, you’ll automatically get all the included fixes with the next operating system update. I plan to allow mine to install automatically, and I encourage most other people to do so, too. If you want full manual control, that’s fine, but then it’s your responsibility to check for and install updates. Given the small downloads, quick installation, and ease of reverting, I think it’s worth letting Apple work to protect our devices against attack as it sees fit.

On my devices, the updates ranged in size from 53.2 MB to 309.8 MB, and the installation time was commensurate with the update size and power of the machine. Apple has clearly solved the size and time problems.

What about update hesitancy? Since the entire point of Rapid Security Responses is that Apple can push them out quickly, presumably with less testing time than a full operating system update would require, it’s more likely that they could have unanticipated side effects. But since cryptexes are atomic—they’re standalone disk images whose contents are grafted into the system at boot—it’s easy for Apple to provide a mechanism for removing them. So if you experience apps crashing or other significant problems immediately after installing a Rapid Security Response, you can remove it and revert to the previous version of the operating system. That’s a huge win and something that’s never before been possible.

Removing Rapid Security Responses

In iOS and iPadOS, you remove a Rapid Security Response by going to Settings > General > About > iOS/iPadOS Version, tapping Remove Security Response, and confirming the action. Removing the Rapid Security Response from the iPad Pro was roughly the same speed as installing—about 14 minutes—but after it restarted, the update was available to install again, as it should be.

On the Mac, removing a Rapid Security Response requires going to System Settings > General > About, clicking the ⓘ next to the macOS version, clicking Remove & Restart, and confirming the action. The process took about 2.5 minutes. On the first boot after removing, Software Update wouldn’t show me the Rapid Security Response, claiming that macOS 13.3.1 was up to date. After another restart, it came back, and I was able to reinstall it.

Note that the release notes of the previous operating system update also appeared on these screens. That’s a small but welcome addition.

Ultimately, it’s good to see Apple finally utilizing the long-promised Rapid Security Response update mechanism. I’ll admit that I had somewhat come to dread operating system updates, particularly on the Mac, where you can end up staring at a black screen for far longer than is comfortable. Rapid Security Responses won’t fix that problem for actual operating system updates, but I hope Apple can use them to reduce the number of full updates that are necessary.