Yesterday Apple released the first of a new type of update that we’re likely to see more of in the future: a Rapid Security Response, or RSR. This article explains why they’ve been introduced, what they do, and how you remain in control of them.
Since the introduction of the Signed System Volume (SSV) in Big Sur, macOS updates have been large and complex to install. This is because almost all of macOS is locked away in a read-only snapshot of your Mac’s System volume. To make even the smallest of changes in that, the update has to be installed first on the System volume, a snapshot is made of that and cryptographically sealed using a tree of hashes, then your Mac has to restart from that snapshot.
Because of the structure of the system, even small changes have to be accompanied by changes in other files, most importantly some large components, the dyld caches, and changes in the kernel and its extensions have to be incorporated in other collections used during the boot process. Apple has been improving macOS update download size and time taken to install, but these will remain substantial because of what has to be done.
While the SSV is wonderfully secure, its security thus gets in the way of updates, so Apple has moved some components that are likely to be updated individually and more often, out of the SSV. Among these is Safari and its supporting components including WebKit. As the front line in the defence against most attacks on macOS, it’s vital that Safari can be updated more quickly and easily, but the mechanism of its storage and updating also need to be robust and not a vulnerability.
The answer comes in special disk images called Cryptexes, that are cryptographically verified and stored away from potential intruders, on the hidden Preboot volume. These were first developed for Apple’s customised iPhone, its Security Research Device, and were introduced to macOS Ventura when it was released last year. When your Mac downloads and installs an RSR, it gets one or more Cryptexes, either to replace existing ones or to supplement them. If you want to learn more about Cryptexes and the RSR mechanism, see this article.
How to install them
RSRs like yesterday’s are offered and delivered in Software Update, as Security Responses, which you should normally enable in the options for Software Update in System Settings > General. They are also found by SilentKnight, LockRattler and the
softwareupdate command tool.
Although they’re small, yesterday’s being little more than 300 MB for Apple silicon Macs and considerably less for Intel models, you should download and install them through Software Update whenever possible. This is because they may need to restart your Mac to become effective, and SilentKnight and alternatives may be unable to complete their full installation process. If you do try using SilentKnight, you’ll probably see the busy spinner running for a long time and never completing. All you need do then is open Software Update and complete the update or restart from there.
If your Mac appears unable to download or install an RSR correctly, restart it and try again. If that doesn’t help, start it up in Safe mode and you should find that solves the problem. If it doesn’t, contact Apple Support.
How to control them
RSRs are intended to be released quickly, then in slower time their fixes will be incorporated into the next release of macOS. This could make incompatibilities more frequent, so Apple provides a method for you to uninstall the last RSR and revert to macOS as it was before.
Open System Settings > General > About, and look down for the macOS version. At the right of that line is an ⓘ button: click on it to see the dialog above, and the ability to uninstall that RSR.
What happens then is that the latest Cryptexes and their supporting files are removed, and replaced by their previous versions. Your Mac will probably then restart, after which it should be back to where it was beforehand.
Why the restart?
It’s Apple’s intention that RSRs are as lightweight as possible, and shouldn’t take more than a minute or two to download and install. Whenever possible, it hopes to be able to install them without the Mac being restarted, one of its original design aims. This won’t always be possible, though, as shown in this first RSR: all Macs that installed it had to restart before it could take effect.
I expect that will be the norm, because those components most likely to need patching in RSRs are those that need to be loaded fully during the startup process. However, a quick install and restart is a far cry from the more protracted install process required for a small macOS update. Even on an old and creaky iMac Pro, yesterday’s RSR was a quick and simple process, and a bright future for everyone running macOS Ventura.
Thanks and congratulations to Apple’s engineers who have finally seen it all work for real.