Apple has pulled a Rapid Security Response update that fixed an exploited flaw in iOS 16.5.1, iPadOS 16.5.1, and macOS 13.4.1
Apple has released a Rapid Security Response update for iOS 16.5.1, iPadOS 16.5.1, and macOS 13.4.1. The emergency update fixes an actively exploited vulnerability that affects the WebKit engine, but Apple may have pulled the update already.
Updated: Two days after it pulled the patch, Apple has released iOS 16.5.1 (c), iPadOS 16.5.1 (c) and macOS 13.4.1 (c) Rapid Security Response updates with the fix for the security issue.
Rapid Security Response update fixes an exploited flaw in iOS 16.5.1, iPadOS 16.5.1, and macOS 13.4.1
According to the release notes that have been published by the Cupertino company, a bug in Apple Safari could allow arbitrary code execution in web pages. The bug was addressed with improved checks. Apple has acknowledged that this issue may have been actively exploited. The issue, which is tracked under CVE-2023-37450, was discovered by an anonymous researcher.
The security fix is available for all iPhones, iPads and Macs that are running on iOS 16.5.1, iPadOS 16.5.1, and macOS 13.4.1.
Apple Safari 16.5.2 update for macOS Big Sur and macOS Monterey
Apple has released the Safari 16.5.2 update for macOS Big Sur and macOS Monterey to fix the security issue in the legacy operating systems. Users may install the update from the System Preferences > Software Update.
This is the second time Apple has released a Rapid Security Response (RSR) update for its devices, the first one was released in May 2023, for iOS 16.4.1, iPadOS 16.4.1 and macOS 13.3.1.
Apple may have pulled the RSR update temporarily
Neither my MacBook nor my iPhone installed the update overnight, and it isn't showing up when I check for updates manually. This likely means that Apple may have pulled the RSR update already. Could your phone have installed this update automatically? Well, there is an easy way to tell this. The Software Update page displays your current version of the operating system. You may also verify it from the Settings > General > About section. If you see an "(a)" next to the iOS version, for example iOS 16.5.1 (a), it means your device has the update. If the "a" is missing, and it just says iOS 16.5.1, your iPhone has not been updated automatically.
Why would Apple pull an emergency update? According to various reports from users on Macrumors forums, installing the iOS 16.5.1 (a) update breaks compatibility with Facebook, Instagram and Zoom. Trying to access the services via Safari reportedly displays an error that says "unsupported browser". This is likely a user agent issue, where the websites probably fail to detect Safari accurately. It is possible that the update could have impacted other apps/services as well, which may be why Apple may have pulled the update. I'm not entirely sure if putting the usability of apps ahead of a user's security is a wise thing to do, but I suppose people may rely on web apps for work and school, in which case it might make sense. We can probably expect the RSR update to be resumed once this issue has been sorted out.
How to uninstall a Rapid Security Response Update in iOS, iPadOS and macOS
1. Open the Settings app.
2. Go to General > About, tap on the iOS version.
3. You can remove the Rapid Security Response Update.
This should allow you to use Facebook, Zoom, Instagram, etc. The security fix in the Rapid Security Response update will be included in the next iOS update, i.e. iOS 16.6, which is currently in the final beta test phase.
