Apple on Monday distributed its latest Rapid Security Response update to iPhones, iPads, and Macs, rolling out an important security patch to protect devices against a recently identified attack Apple says is already in active use.

“Apple is aware of a report that this issue may have been actively exploited,” the company said in its security note.

That’s bad, as it means someone somewhere has already been attacked using this vulnerability. The patch repairs a flaw found in WebKit in which processing web content could lead to arbitrary code execution.

Apple explained that the issue was addressed with more stringent checks. The problem: those checks might have been too rigorous, causing some legitimate sites (Facebook, Instagram, Zoom) and other services to fail. That forced Apple to pull the security update after a few hours of release.

Update. Apple subsequently published an update explaining what happened with the update, writing: 

"Apple is aware of an issue where this Rapid Security Response might prevent some websites from displaying properly. Rapid Security Response iOS 16.5.1 (b) and iPadOS 16.5.1 (b) will be available soon to address this issue."

Announced at WWDC 2022 and active as of the beginning of 2023, Rapid Security Response updates are small, quick-to-install security patches that can be distributed and downloaded automatically across Apple’s platforms.

The idea is that these small installs let the company maintain a high degree of security across all its platforms, as users get to install these intermediary patches as well as standard software updates. This accelerates patching.

Debrup Ghosh, senior product manager at Synopsys Software Integrity Group, said in a statement:

“With its Rapid Security Response updates, Apple has set the industry benchmark for not only addressing security vulnerabilities swiftly, but also rolling out these updates across millions of devices. Further, enabling automatic updates ensures that, for most customers, these security updates are applied without the any action from the end user.”

However, in this case, it is possible some devices might have been automatically updated to the flawed software.

If you have enabled your device to install security responses automatically, you might want to check whether you have already installed the problematic one.

Apple has an explanation of how do this, but in essence it tells you to open Settings on your device, tap General, About, and then tap on the version of your operating system. If you see a "Remove Security Response" button, the update is installed but can be removed to get WebKit working properly again. Apple should already have notified you the update is installed.

That said, in some cases the benefits of protecting Apple devices against this kind of zero-day attack could outweigh the inability to use apps like Facebook or Zoom.

High-value targets, human rights workers, politicians, journalists or other frequently targeted individuals might prefer to leave the patch installed until Apple releases a follow up patch without these problems. Apple will no doubt release a patch that works quite soon.

Apple hasn’t commented on the Rapid Response removal, but it is likely to swiftly redistribute a revised version of the software.

While we wait, Jamie Brummell, Socura co-founder and CTO, has a little security advice.

“One of the only effective things iPhone users can do to defend against these zero-days attacks is to reboot daily. Gaining persistence on iPhone is extremely hard, so restarting usually kills the threat actor’s code, at least until the device gets exploited again. Alternatively, iOS Lockdown mode can stop some of these exploits from working by blocking web-based scripts, risky message attachment types and more.”

While the appearance and disappearance of this update is unfortunate, the strength of Apple’s approach is that you can uninstall a problem patch with one tap on the Remove Security Response button.

It means Apple already has a system in place to help handle troublesome updates, even while it strives to ensure its platforms are protected against new threats as swiftly as possible. It’s important that it does so; after all, so far this year, 22% of all documented zero-day attacks have affected Apple devices.

While it is up to each user to strike a balance between security and reliability, the current security environment is complex at best, and it seems much better that the company is at least working to respond to emerging threats. Ultimately, this particular incident shows the strength of the company’s unique platform protection system, though the fact the initial release was itself flawed demonstrates the complexity of fast response on any platform.

In other words, life with Rapid Response might at times be a little more complicated, but the security benefits it usually provides far outweigh the risks.

Article updated 7/11/23 with additional comment from Apple.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

IT World