Apple can patch Ventura on the fly: RSR is coming

Updates put the Big in Big Sur. At their smallest, each update to macOS 11 amounted to around 2.1 GB on Intel Macs and 3 GB on Apple silicon models. It was bad enough being on the receiving end, but for Apple’s software update servers and the engineers who built each of those updates, it must have been a recurrent nightmare. Ventura promises to improve on the improvements we’ve already seen in Monterey, and to bring us more timely and tiddly updates that don’t even require the Mac to reboot: Rapid Security Responses (RSR). If nothing else in Ventura seems particularly compelling, these should make you want to upgrade yesterday.

Although Apple hasn’t yet explained how these will work in Ventura, a near-identical system is already in operation with iOS 16, and is explained here.

For the user, an RSR should be similar to the frequent security data updates we already get every couple of weeks or so, for the likes of XProtect, only rather larger. These will patch important vulnerabilities, particularly those that Apple believes might be already exploited. For this, Apple recommends that you enable them to be installed automatically. To do that in Ventura, open System Settings > General > Software Update and click on the ⓘ Info button.


In the dialog that appears, enable the last item Install Security Responses and System files, which include RSRs, security data updates like XProtect, and similar.

However, you don’t have to enable them to be automatically downloaded and installed, as they should still be offered to you as software updates you can install when you prefer. They should also be offered in the updates detected by SilentKnight and LockRattler, although until we have some experience of them I can’t advise you whether to install them in those apps, or to use Software Update. As soon as I know, I’ll explain what you can do.

Unlike security data updates, once an RSR has been installed, you have the option to remove it. Apple hasn’t yet made clear where you can do that in macOS, but it’s likely to be either in Software Update or General > About, where iOS places the control.

The fixes distributed in RSRs will then be built into the next update to macOS, so if you do decide to skip or remove them, you should still get their benefit when you next update normally. There’s also every indication that regular macOS updates will continue to shrink in size, as they have been during the last year of Monterey.

Not all security patches are likely to prove suitable for distribution as RSRs. In particular, trying to patch bugs in the kernel and its extensions isn’t likely to happen in Ventura. But for quick fixes in components like WebKit, whose bugs often result in serious vulnerabilities, this could prove a valuable enhancement to macOS security.

Apple doesn’t appear to have documented RSRs yet in its Platform Security Guide, but random blog has proposed that they’ll be installed as cryptographically-sealed extensions, or cryptexes, to extend the existing signed and sealed System volume (SSV). Currently, an app cryptex is already used to contain Safari and the password pane, and an OS cryptex contains dyld shared caches and a little more of the system. The cryptexes themselves are stored on the Preboot volume, so can be added to or replaced without the major surgery performed to the SSV by a normal macOS updater.

You’ll also find information about RSR capability on a Mac running Ventura with my Mints utility; its new Software Update button should provide further details about this system at the end of its report.

What remains to be seen is whether Apple also uses RSR to promulgate patches for more severe bugs in macOS. Although this may be possible for some, the most severe are generally considered to include Mach zone memory leaks and other bugs likely to lead to kernel panics, which will still probably require a formal macOS update.

For those hoping that Apple might extend RSRs to cover Monterey as well, I think that’s highly unlikely. If you’re still going to be running macOS 11 or 12 once Ventura is released, I’m afraid that conventional security updates are all you’re likely to be offered.