Apple has deployed its first Background Security Improvements update, addressing a WebKit vulnerability tracked as CVE-2026-20643 across iPhones, iPads, and Macs without requiring full operating system upgrades. The flaw, discovered by researcher Thomas Espach, enabled malicious web content to bypass the browser's Same Origin Policy through a cross-origin issue in the Navigation API. The fix arrives on iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1 and 26.3.2.
This marks the first implementation of Apple's Background Security Improvements feature, introduced in iOS 26.1, iPadOS 26.1, and macOS 26.1 to deliver lightweight out-of-band security patches between major updates. The system targets components like Safari, the WebKit framework stack, and system libraries with smaller incremental fixes applied silently in the background. Previously, all security updates required users to install new OS versions and restart their devices.
Users can manage these background updates through Privacy & Security settings on their devices. Apple warns that uninstalling a Background Security Improvements update removes all previously applied patches, reverting the device to its baseline OS version without incremental protections. This effectively eliminates rapid-response security fixes until updates are reapplied or included in future full releases. Unless compatibility issues arise, users are strongly advised against removing these background security patches.
Read more...