macOS Ventura: How Apple rolls out fast, no-reboot security updates

It is a discreet novelty of macOS Ventura and iOS 16, but which will be a pillar of the security of these systems. Apple will be able to push fixes that will apply automatically, without having to restart the Mac, iPhone or iPad unlike classic updates.

In iOS 16 and macOS Ventura, the new option “Install security updates and system files” is present in the Software Updates settings.

The faults will therefore be blocked more quickly, without the user having to lift a finger or hang around in front of his bike to be safe. “Big” updates that include new features will always require a restart, however.

“Rapid” security updates on iOS 16 and macOS Ventura

“Rapid” security updates on iOS 16 and macOS Ventura

Technically speaking, Apple is relying on a feature implemented with macOS Catalina. System files are stored in a separate partition Macintosh HD, read-only. User data is installed in a partition Macintosh HD - Données, readable and writable of course. Both partitions are part of the same APFS container and resize on the fly as needed.

macOS Catalina: the system installed on a read-only partition

macOS Catalina: the system installed on a read-only partition

However, it was still possible, by disabling SIP, to mount the partition Macintosh HD and make changes to it. Simply, when the Mac restarts, the volume goes back to read-only. With macOS Big Sur, Apple added security: the signed system volume (SSV) that contains the OS will not boot if macOS detects that files have changed.

So far, when installing new versions of macOS, the SSV comes up in the background, the files are updated and then a new cryptographic signature is created for verification along with an APFS snapshot (snapshot) of the system state. With these tools, the Mac can then restart without problems.

To install its future security updates without restarting, macOS Ventura relies on “cryptex” disk images, as the site explains. Threedots. They are seen by the system as extensions of the existing volume.

These images can be opened and files can be edited in them independent of the SSV, but for macOS they are part of the system volume. Therefore, Ventura can patch system files and apps — like WebKit, JavaScript frameworks, or Safari — present in those cryptex images, without having to touch the SSV.

For the user, it’s completely transparent and even painless, since his machine doesn’t even need to restart. And for Apple, this new system strengthens the security structure of its operating systems. It remains to be seen how often the manufacturer intends to use it, and if this will have an impact on the rhythm of traditional maintenance updates.


Leave a Comment