Apple's first Rapid Security Response update patches two WebKit zero-days
Apple's latest security update also includes another WebKit zero-day that was reported by Google's Threat Analysis Group and Amnesty International
Early this month, Apple released its first Rapid Security Response (RSR) update to the public—following numerous tests being conducted since the release of iOS 16. These are separate from the main iOS updates, and it allows Apple to send out fixes for critical bugs quickly without waiting for the next update cycle.
Despite these tests, initial users who went to update reported that there was an error when trying to install it—though they were eventually able to get through.
After the RSR was released, speculation began onto the nature of the release and what it contained. It was quickly spotted that the build number for Safari had been changed—which indicated that it likely included a patch for a WebKit vulnerability. With today’s update, that speculation is now confirmed.
Apple warns that both of these bugs have been exploited in the wild. Thanks to the Rapid Security Response, Apple was allowed to patch devices weeks before this update was released.
The latest update also included a fix for another bug that had been exploited in the wild. It was reported by Google’s Threat Analysis Group and Amnesty International—likely indicating that it is related to the use of commercial spyware.
Further Reading
What is a Rapid Security Response (RSR)?
Apple has just released the first Rapid Security Response for Ventura
About the security content of iOS 16.5 and iPadOS 16.5
About Rapid Security Responses for iOS, iPadOS, and macOS
Apple releases first ‘rapid’ security fixes for iPhones, iPads and Macs