hoakley July 16, 2023 Macs, Technology

Last Week on My Mac: How an RSR went badly wrong

Last week broke new ground in being the first in which Apple released two Rapid Security Responses (RSR) within two days. On 10 July, it released RSR 13.4.1 (a), but removed it a few hours later, then replaced it by RSR 13.4.1 (c) on 12 July. As far as we’re aware, both patched the same vulnerability in WebKit, but the first also broke popular web services including Facebook. The causes of this fiasco should have been anticipated, and were entirely preventable.

The underlying problem wasn’t for once the result of the patched code in the RSR, but Apple’s version numbering, something I and others had highlighted when Apple released its first RSR on 1 May. As I explained then, Apple changed its version numbering system without any explanation or warning, and in a way that broke its parsing by many third parties.

Previously, Apple had numbered macOS versions using the scheme [major].[minor].[patch], as in 13.4.1 and that for bundle versions. Rather than count an RSR as a patch, or add a fourth digit to take the version number to 13.4.1.1, it decided to append a letter, and even worse to put that in parentheses. The first of last week’s two RSRs thus changed the macOS version number to 13.4.1 (a).

With its very first RSR in May, Apple also incremented Safari’s build number, taking it from 18615.1.26.11.23 to 18615.1.26.110.1, but its version number remained at 16.4. The fatal mistake last week was that Safari’s version was also changed this time, from 16.5.1 to 16.5.2 (a). Changing the version number of a browser has more widespread impact, as that’s included in its User Agent, information that’s checked by many websites that the browser connects to. Without prior warning, Safari’s User Agent went from 16.5.1 to 16.5.2 (a), and some servers simply couldn’t accept that, so refused to continue their connection with all Macs that had installed RSR 13.4.1 (a).

This in turn results from the User Agent being sent as a text string, rather than anything structured to cope with such changes in the format of version numbers. Parsing text strings robustly to extract version numbers whose structure can change requires surprising care, and clearly wasn’t of concern to some major services. It’s as much a reflection on poor programming practice on the part of those analysing the User Agent, as on Apple’s lack of forethought of the consequences of changing Safari’s User Agent in that way.

This also raises the question of why some web services should block connections when they don’t fully recognise the User Agent. From its inception, the World Wide Web was intended to be largely independent of platform and software. Its protocols are designed to be implemented on all systems that can connect to the internet. Yet when servers encountered a browser version they didn’t recognise, their response wasn’t to fall back to a default behaviour, but to deny that connection altogether. Instead of being a common language, the internet has increasingly deviated from its original objectives to the detriment of its users.

Apple has also failed to recognise that version numbers are a public means of communication with developers, users, administrators and servers, not a private playground like build numbers. I’ve been unable to find any documentation from Apple explaining its numbering system before it started releasing RSRs, and it certainly hasn’t defined its system since. Why is the RSR letter enclosed in superfluous parentheses? Does Apple intend using these letters without parentheses, such as 13.4.1 a, for another purpose? Why did the second RSR jump to (c) when the previous release was (a)? Perhaps most of all, why with its May RSR did Apple change Safari’s build but not version number, and then do the opposite on 10 July?

The implication is that Apple has not only failed to communicate its version numbering system to the public, but hasn’t even defined it for its own engineers.

13Comments

Add yours

1

Enzo Vincenzo on July 16, 2023 at 7:20 am

“ There are no comments”
“Add yours”
And what do you want to comment…, dear Howard… 😦 It’s incommentable… Would it be an exaggeration to say about petty and arrogant behavior? That is to say: “I (Apple) am me and you are nobody?” 😦

LikeLiked by 2 people
2

Alan B on July 16, 2023 at 7:57 am

Very unprofessional by Apple. Also they should have read the appropriate guidelines re the User Agent fiasco.
https://www.rfc-editor.org/rfc/rfc9110.html#name-user-agent

LikeLiked by 3 people
- 3
  
  hoakley on July 16, 2023 at 9:09 pm
  
  Thank you.
  Howard.
  
  LikeLiked by 1 person
4

SarahB on July 16, 2023 at 9:49 am

Not so good for something new to macOS. It makes me feel like I can’t trust the RSR updates now but I will be more cautious. But it was kind of stressful. Since there was a stand alone safari update also for my other mac’s on an older OS. But then I think that got pulled too. But then left us open for a few days not being protected. Glad they seem to be posting what the updates are about now I think.

I keep wondering why things are not tested more first before release. Seen it happening a lot these days but I know a lot of positions in work/jobs have changed quite a bit in past few years. I keep bracing for more confusion and mistakes. Not just with apple but with so many other companies as well.

LikeLiked by 1 person
- 5
  
  hoakley on July 16, 2023 at 9:11 pm
  
  Thank you.
  RSRs are intended above all to be rapid, to patch vulnerabilities that are being exploited by malware. As they’re easily removed, you should have no fear of installing them as soon as possible.
  However, in this case the problems were completely avoidable, and should never have occurred.
  Howard.
  
  LikeLiked by 1 person
6

Enzo Vincenzo on July 16, 2023 at 12:32 pm

For some time I always wait at least a week before making any updates.
Even with major macOS updates (e.g. macOS 11 to 12 or 13.1 to 13.2) I wait for the XX.Y.1 (point one) which always arrives a few days later and usually proves to be stable. Idem with iOS, ecc.
Let’s not forget a major update of macOS (e.g. the Monterey first build) which even turned many MacBook M1 into bricks…
After all, what’s the rush?… Waiting a few more days makes no difference since we have known for some time now that history repeats itself and after an XX.Y version there will ALWAYS be an XX.Y.1, a few days later, which fixes bugs and issues based on numerous reports and Apple support calls from Users.

LikeLiked by 1 person
- 7
  
  Enzo Vincenzo on July 16, 2023 at 12:40 pm
  
  I add: and if we have problems with Builds that are tested by Beta Testers… let alone the problems we can have with RSR updates that are not tested at all by the community, but only by Apple Engineers who are less and less transparent in their behavior and not they have a sincere openness to third parties and to universal common rules.
  
  LikeLiked by 1 person
  - 8
    
    hoakley on July 16, 2023 at 9:27 pm
    
    I would strongly encourage you to install RSRs as early as you possibly can.
    RSRs fix vulnerabilities that are known to be exploited by malware now. No matter how careful you might be, your Mac could readily be affected by that malware. Recognising that these changes aren’t tested as thoroughly as an update to macOS, they’re designed to be easily removable. Had you installed 13.4.1 (a) last Monday and found its problem, you could have removed it within just a few minutes.
    With the rising problem of malware on macOS, previous practice of delaying updates is beginning to look very dangerous, with your Mac exposed to risk quite unnecessarily. That’s the rush.
    Currently, x.x.1 updates occur infrequently, and are almost invariably urgent security updates, not ‘fixes’ of problems in the last minor release. For example, 13.4.1 followed over a month after 13.4, and contained just two security fixes, both of which were serious and already being actively exploited. The two fixes in the RSR released last week are unlikely to be incorporated into 13.4.2, which probably won’t be released, but you’d have to wait for 13.5 later this month for the same protection.
    Howard.
    
    LikeLiked by 2 people
9

Sab Gigo on July 16, 2023 at 3:53 pm

Looking over the previous version numbering for Safari with previous RSR releases, this time I believe that appending the (a) was truly human error. Howard’s article notes that this was a deviation from the prior numbering, which did not incorporate a letter appended to the version number. Errors resulting in this magnitude of dysfunction ought not be made, but did not result in something like a Space Shuttle explosion, and it was corrected fairly quickly. I will say that my reliance on Safari has decreased in recent years, and if a website refuses to display, my first response is to launch an alternate browser to see if that resolves the issue. Apple has shown a lack of transparence on other issues in the past — the iOS battery issue comes to mind, and resulted in a rethinking by Apple as how to better meet the needs of. the customer. I am hopeful that somebody higer-up at Apple takes notice of Howard’s constrictive criticisms, and is willing to move up the chain of command and try to get reforms at Apple instituted. I believe that Apple is more willing than most of its competitors to institute positive changes that well impact the needs of their customers — it may take a while, but I, for one, am willing, for the most part, to wait it out.

LikeLiked by 2 people
- 10
  
  hoakley on July 16, 2023 at 9:29 pm
  
  Thank you.
  What’s terrible here is that the hard problem – fixing the vulnerabilities – works fine. What should never have been a problem, version numbering of Safari, turned it into a fiasco, though.
  Howard.
  
  LikeLiked by 1 person
11

Myob on July 17, 2023 at 3:13 pm

I’m not a developer. With that in mind, the only documentation on RSR versioning I’ve found is within an MDM context:
https://support.apple.com/guide/deployment/rapid-security-responses-dep93ff7ea78/web

There’s examples depicted. In the “DeviceInfo example” and the “AvailableOSUpdate example” sections at the bottom of the page, the “SupplementalBuildVersion” and “SupplementalOSVersionExtra” keys have a string closing of “a” and “(a)” respectively. Is that the RSR parentheses’ purpose––nonconflicting identification?

I don’t know why version (b) was skipped. There were no intervening minor OS updates, although my understanding of the information doesn’t lead me to believe that that (or anything else) would cause a relative succession break. Speculation––problems were found with (b) so they released (c) for the value of timeliness.

Regardless, thank you for the articles and responses––now and for when Apple originally introduced the uncertainty.

LikeLiked by 1 person
- 12
  
  hoakley on July 17, 2023 at 5:11 pm
  
  Thank you.
  That’s a fascinating document, dated from early June. It still doesn’t reveal the changed version number format for macOS, and certainly doesn’t mention Safari. Indeed, in the example given for DeviceInfo, the string for OSVersion reads “13.1” following installation of an RSR.
  Howard.
  
  LikeLike
13

Andy Ormsby on July 18, 2023 at 10:21 am

Howard is spot on in highlighting both the sloppiness of Apple in their version numbering and the arrogance of service provides in deciding what browsers and browser versions they choose to allow. Neither Apple nor the service providers emerge from this episode looking very good. Apple will doubtless learn from the exercise. I’m less convinced that service providers will become more liberal in the “User-Agent” strings they accept, which is a shame and goes against the original principles of the Internet’s standards.

LikeLiked by 2 people