With the first security update to macOS Ventura, 13.6, already being tested, it's time to take stock over the coming year of macOS updates, and what we can expect. Under Apple's unstated policy, Big Sur has already been consigned to the past, and is now unsupported. Monterey has entered its second and final year of security-only updates, where Ventura has now joined it. But what can we expect Ventura to get over the next year: will those updates include Rapid Security Responses (RSRs) too?
RSRs were new in Ventura, and over the last year Apple has released two of them, the second of which had to be released in a second, fixed version. The first of those, 13.3.1 (a), fixed two vulnerabilities in WebKit that Apple believed may have already been exploited, and was followed 17 days later by 13.4, which incorporated them into a macOS update. The second, 13.4.1 (a) and (c), addressed another vulnerability in WebKit that was incorporated into 13.5 two weeks later.
RSRs are much smaller than even the most minimal macOS update, so far little more than 300 MB even for Apple silicon Macs, whose smallest macOS updates weigh in at around 1.9 GB. Most importantly for Apple, they are released without external testing, and are simpler to deliver and install. When the 13.4.1 (a) RSR had to be replaced to fix its bug, it took only two days, compared with the period of over three weeks required to release 13.5.1 and fix a single bug in a full macOS update. For the great majority of users, fixing a vulnerability by an RSR a couple of weeks sooner than could be achieved by a macOS update might not appear significant, but depending on the threat from its exploitation, it could save a sizeable minority from catching something very nasty. Most importantly, though, it's an overt sign that Apple is responding as rapidly as possible to new threats.
Once Apple has released macOS 14 Sonoma in the coming month or two, we'll have two versions of macOS that can receive RSRs: Ventura, in its first year of security-only support, and Sonoma, fresh out of beta-test. Should we expect RSRs for both of them?
Apple has clarified this only yesterday, in an updated support note about RSRs. That makes clear that we're unlikely to see an RSR attempting to patch the kernel for a while, as they're targeted primarily at Safari, WebKit and "other critical system libraries". It also states that "New Rapid Security Responses are delivered only for the latest versions of iOS, iPadOS, and macOS, starting with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1."
Should we ever see another RSR for Ventura, then it will be an exception to that rule. When Apple considers there's a high threat of a vulnerability in WebKit or similar that's already being actively exploited, Sonoma might receive an RSR a couple of weeks before those bugs are fixed in an urgent macOS update, and in the next security updates for Ventura and Monterey. If the bugs aren't amenable to an RSR, with their current limitations, then we'll still have to wait for a patch update to macOS.
We should therefore plan on the following over the coming year:
- Sonoma receives full support, including additional features, general bug fixes, and security fixes including RSRs.
- Ventura receives security-only support in periodic security updates, but no more RSRs, starting from version 13.6, due with the release of Sonoma.
- Monterey continues to receive security-only support in periodic security updates, its next release being 12.7, also due alongside Sonoma.
- Big Sur is unsupported, its final release being 11.7.9.
I hope that helps you plan your upgrades.
