Apple Relaunches Background Security Improvements with WebKit Patch

Originally published at: Apple Relaunches Background Security Improvements with WebKit Patch - TidBITS

Apple has released iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a), marking the first public use of its new Background Security Improvements system, a renamed version of the previous Rapid Security Responses (see “What Are Rapid Security Responses and Why Are They Important?,” 2 May 2023). Much like Rapid Security Responses, these updates deliver “lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries” without requiring a full operating system update. Apple provides much more information about Background Security Improvements in the Platform Security guide.

The sole issue addressed, CVE-2026-20643, involves a flaw in WebKit’s implementation of the Navigation API that could allow maliciously crafted Web content to bypass the same-origin policy, a foundational browser safeguard that prevents a malicious script on one site from accessing data on another.

Apple doesn’t say that this vulnerability has been actively exploited, but the company considered it important enough to ship via this new mechanism, even though OS 26.4 is due out soon.

Given that implicit indication of importance, we recommend installing this Background Security Improvement soon. In theory, that shouldn’t require any action on your part, as long as Automatically Install is turned on in Settings/System Settings > Privacy & Security > Background Security Improvements. It’s as yet unclear when or how that automatic install will take place, but you can also install manually by tapping Install, waiting a few minutes for it to download, and then tapping Restart & Install.

Unsurprisingly, you’ll see an option for the (a) releases only if you have 26.3.1 or 26.3.2 (the latter only for the MacBook Neo) installed. In practice, that’s likely a small group, since OS 26.3.1 was released primarily for Apple Studio Display updates and macOS 26.3.2 is limited to the MacBook Neo (see “OS 26.3.1 Adds Studio Display Support, Fixes Bugs,” 6 March 2026). If you’re still running an older version of OS 26, the Background Security Improvement will instead be bundled with the overall update available in Settings/System Settings > General > Software Update, as you can see on my little-used iPad below. It’s confusing, and Howard Oakley has trenchant comments on the flawed interface.

What’s notable about Background Security Improvements is that they can be smaller and quicker to install than full operating system updates, and they can be reverted, either by the user or Apple. Apple says Background Security Improvements that update only Safari on the Mac will require just a Safari relaunch, not a full restart. However, this update does require a restart—and on the Mac, it doesn’t prompt you first as it does in iOS. It felt surprisingly abrupt after the relatively slow downloading phase.

To remove a Background Security Improvement, navigate to Settings/System Settings > Privacy & Security > Background Security Improvements, tap the ⓘ button next to the update, then Remove & Restart. You might want to do this if you notice problems with Safari after installing.

After Apple made a big fuss about Rapid Security Responses in 2023 and used them a few times for iOS and iPadOS, it made a mistake by updating Safari’s version number to include the parenthetical update letter. That prevented some websites, notably Facebook and Instagram, from recognizing Safari, causing them to display their mobile versions instead of the desktop versions. Apple quickly pulled the updates (see “Apple Pulls Rapid Security Responses Due to Website Loading Issues,” 11 July 2023) and then reissued them (see “Rapid Security Responses for iOS/iPadOS 16.5.1 (c) and macOS Ventura 13.4.1 (c),” 13 July 2023). This time, Apple was careful to change only Safari’s build number.

That debacle seemingly scared Apple away from Rapid Security Responses. (If only it had scared people away from Facebook and Instagram!) Apple issued no Rapid Security Responses for the next two operating system cycles and introduced Background Security Improvements only in iOS 26.1, iPadOS 26.1, and macOS 26.1 Tahoe. We’ll see if they’re here to stay this time.

Thanks for the link. A quick web search didn’t find that page and I was wondering what they changed.

I did notice that the Background Security Improvements (Settings → Privacy & Security → Background Security Improvements) was set to automatically install.

Oddly enough, this update didn’t auto-install (maybe it was waiting for me to connect the phone to a power cord). I manually triggered the installation, but also turned off auto-install so I can choose when it happens.

@ace wrote a good article about this new feature and he mentions that installing this BSI (at least manually) will require a restart of your iPhone. If my phone automatically installed the BSI and I wasn’t aware it was happening, then it suddenly restarted on its own I might be a little concerned. Theoretically, the BSIs shouldn’t require restarts. Maybe the restart is only required this first time. Time will tell.

I’m going to be interested to hear what people experience with the automatic BSI updates. In theory, all you’d really notice with an iPhone restart would be a request to enter your passcode after a restart. Since iOS requests your passcode on a regular basis anyway, that shouldn’t be a major surprise or issue. I very much doubt the automatic install would take place during a time you’d notice.

How does that affect the Settings>General>Software Update> Automatic Updates>Security Responses & System Files setting? Does it replace it?

Automatic install hadn’t happened on my Mac, iPhone, or iPad (all current with 26.3.1) as of this (3/18/26) morning. So I tried manual installations. Worked as expected on Mac & iPhone, but had to try multiple times to click on the Install link on my iPad.

First 3 times, it kicked me out of Settings. 4th time, the Install link appeared shaded, I was able to click on it, got the download and Restart request. Restart was normal and iPadOS 26.3.1 (a) was installed.

I’m guessing that it might not have been able to immediately contact Apple & request the download the first three times.

It looks like the “Security Responses & System Files” option does not exist in iOS 26:

image1240×1559 166 KB

So far this first one is a little confusing. When I first looked at my iPad this morning (around 9am), I have a Notification:

IMG_0077.PNG857×166 35.4 KB

But in Settings > Security Improvement Available I see:

IMG_00761003×1276 109 KB

So despite being configured to automatically install, and having known about it for almost 6 hours now (it’s 9:52am here as I’m writing this), the majority of which was very early morning, it hasn’t installed it.

If you have a lock screen widget that gets its data from an app (e.g. weather widgets), you’ll notice that the fields are blank.

Count me annoyed. While I don’t mind my iPhone having to reboot to install a security update, I do mind when my desktop machine has to restart, since that can greatly interrupt the workday.

When I told it to manually install the improvement I was definitely not expecting it to require a restart. Isn’t the whole point of this “improvements” mechanism that it be lightweight and minimally disruptive? If not, how is it any different from a normal update? Why have a totally different mechanism for viewing improvements in Settings if they are functionally the same as an update from the end-user’s point of view?

Ah, then since Apple is no longer using “Security Responses & System Files” to provide security fixes, I will disable the automatic updating for them in 18.7.2. & 18.7.3. Thank you.

I don’t care for “automatic” updates of ANY kind.
I turn all that stuff off, whenever possible.
Yes, notify me that updates are available.
But I want the decision to actually install them… to be mine.

I agree but the old “Security Responses & System Files” system didn’t notify you of them.

After not manually installing the BSI on my iPhone for 2 days, and the phone not installing it even though I had Software Updates>System Files>Automatically install enabled, this morning I see the update was installed while my phone was plugged in overnight. Obviously, I don’t know if it restarted after installation. Everything seems normal this morning (so far).

To follow up on my post above, after about 53 hours, it still hasn’t installed. My iPad has had plenty of plugged-in idle time, my WiFi and internet have been available the whole time, etc. One more thing I want to try before manually installing it, but it seems to be a fairly severe security issue if I’ve got “Automatically Install” set for Security Improvements and it doesn’t.

So I tried turning on Automatically Install in Settings > General > Software Update > Automatic Updates, thinking that would make it download and install 26.3.1 (a) (and any other update or upgrade that came along, but I was betting there wouldn’t be either this soon after 26.3.1, and there hasn’t been). Except, 24 hours later, it’s still not installed. And worse, Background Security Improvements seems to have disappeared completely, so I can’t even manually install. I’ll let it sit and call Apple support Monday if it still hasn’t installed or become available to install, but at this point, I consider the process a massive security failure.

The phone would require your passcode after a restart. In other words, if your iPhone did not require your passcode, then it did not restart. (If your iPhone did require your passcode, then maybe it restarted and maybe not.)

You can tell from the message on the screen where it asks for your passcode.

After a restart, the screen says:

Your passcode is required when iPhone restarts

If you used the emergency screen to lock the phone, it says:

Your passcode is required to enable Face ID

If it simply can’t read your face for some reason (e.g., covering the camera lens or a different person), it just says “Enter Passcode”, with no additional text.

I doubt that setting affects BSI updates in any way. Apple gets to decide when and if it happens.