Apple is changing its approach to security patching, in response to the growing threat of accelerated artificial intelligence (AI) attacks.
The company has historically saved big, bundled sets of bug fixes for new versions of its operating system (OS). That’s set to change. The company released a variety of security updates June 29 for iPhones, iPads, Macbooks, and the Safari browser, untethered to any major version releases. It’s hardly the first time it’s released security updates out-of-band, but the motivation was different this time. According to Reuters, the company said “it was adapting to the reality that, given the ability of artificial intelligence to speed the development of malicious hacking tools, it needed to reduce the time between when updates were first made public and when they were put into customers’ hands.”
“I think faster patching helps, but it doesn’t fully close the gap, because it’s still a single point of defense with no fallback if something slips through,” Rocky Cole, CEO of iVerify warns. “And against AI-accelerated discovery, something will slip through.”
Dark Reading has reached out to Apple for comment on this story.
Why Apple Is Changing its Patching Cadence
In speaking with reporters, Apple emphasized that none of the newly released fixes pertained to actively exploited vulnerabilities. In other words, the point wasn’t to address any known cyberattacks, but to start updating more frequently in general.
“The data isn’t in dispute when it comes to the need for a different patching cadence,” Cole says, citing Mandiant’s time to exploit (TTE) findings. “In 2018, the average time to exploitation was about 63 days. In the last two years, that number has actually flipped negative, meaning that, on average, attackers are now routinely weaponizing a flaw before a patch is even public. Zero-days are now, on average, being used more than n-days.”
Cole has experienced the shift firsthand. Through OpenAI’s Trusted Access for Cyber program, he’s tested emerging models for his own company’s sake. “We’ve already found around a dozen bugs, one of which just got acknowledged by Apple as a CVE. And in some cases, we’ve been able to use the AI tools to see those into exploitation,” he says.
Emphasizing the point, he adds, “We’re a small team. We’ve got two researchers that do this, and we’ve only been in the program for about two months, and it’s still early days for this new sort of AI-driven vulnerability discovery. So if this is what we’re seeing, I think it’s indisputable that the old sort of patching model was broken and needed an update.”
Will Users Actually Download Their Patches?
Apple’s tendency to save security fixes for OS updates is unpopular in cybersecurity circles for an obvious reason: it leaves users exposed for longer periods of time.
What’s arguably even worse, though, is that as Apple customers have been trained over time to expect security and usability updates as package deals, many have decided to avoid updates. Apple has made many controversial updates to its user interface (UI) over the years, like its recent Liquid Glass aesthetic, and users who’ve downloaded changes they don’t like one too many times usually just stop updating altogether. Security, meanwhile, is an afterthought to the UI and user experience (UX) features they engage with daily.
Cole recalls how “we just saw a Coruna infection last week, from someone still on iOS 16. We reached out to them and they told us they’d skipped updating because they didn’t like the new user interface. So faster patching doesn’t help if people don’t install it.”
The iOS Security Model Still Falls Short
For Cole, though Apple’s new philosophy on patching is positive, it’s still not sufficient to protect iOS users in particular. For one thing, there’s the point made earlier: attackers are now using iOS zero-days more often than n-days.
“The iOS security model is an outlier,” he says. “It’s the only widely used computing platform in the world that doesn’t have a real security framework on it. There’s no equivalent of an extended detection and response (XDR) or endpoint detection and response (EDR) layer that the security community can build on. And the ecosystem is closed off from third-party cybersecurity tools. Apple’s model is basically: Trust us, we’ll protect the device.”
It’s more of an issue for enterprises than individual consumers, too, because most follow an N-1 patching strategy to avoid compatibility issues and crashes. “When you analyze the problem from that angle, I think the only feasible solution to this is that there needs to be a security framework on an iPhone that lets companies take defense into their own hands, the same way they do on every other endpoint,” Cole says.
After all these years, he adds, “It’s a little wild that people aren’t just saying it plainly: that the ‘go it alone’ security model is broken.”

No responses yet