macOS 26.3.1 (a)
Apple has just released its first public Background Security Improvement (BSI) for macOS 26.3.1 Tahoe, labelled as BSI (a)-25D771280a.
Available for: iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, macOS 26.3.2
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
This update will NOT show up in Software update. It will only display in System Settings > BSI Updates.
Previously:
Update (2026-03-19): Juli Clover:
Background Security Improvements can be installed in the Privacy and Security section of the Settings app. Scroll down, and then select the Install option to install the update. If Automatically Install is toggled on, BSIs will be automatically installed when they come out.
In order to install the available Background Security Improvement, you have to enable automatic installation.
Automatically Install was enabled, but the update had not been performed. There was an “install” link, which we selected – it then took a long time to download and eventually forced a restart of the iPhone.
Going back to Settings > Privacy and Security > [scroll down pages] Background Security Improvements showed the updated version. Touching a tiny “i” icon pops up the option of removing these security patches
Apple says Background Security Improvements that update only Safari on the Mac will require just a Safari relaunch, not a full restart. However, this update does require a restart—and on the Mac, it doesn’t prompt you first as it does in iOS. It felt surprisingly abrupt after the relatively slow downloading phase.
If you know a BSI is available but Privacy & Security settings appear unable to find it, something I’ve encountered in Virtual Machines, try running SilentKnight. Although BSIs aren’t controlled in Software Update, they do still use the same
softwareupdatesystem used by SilentKnight. Normally you shouldn’t try to install BSIs using SilentKnight, as installation will fail. However, you can turn this to your advantage when a BSI is being elusive.[…]
Most telling, though, are the accounts of RSRs and BSIs given in Apple’s Platform Security Guide, which are almost word-for-word identical apart from their names. It seems most likely that a BSI is a rebranded RSR in a bid to move on from the loss of confidence in RSRs following unfortunate errors nearly three years ago.
Update (2026-03-26): Howard Oakley:
Now I’ve had a chance to give a fair account of the first public BSI, I can consider what’s wrong with their current implementation.
Update (2026-03-30): Khanh:
This post walks through how BSI updates work under the hood. More importantly, it shows what Apple actually shipped: one publicly disclosed WebKit CVE, and at least two additional security-relevant changes that didn’t make it into the advisory.
6 Comments RSS · Twitter · Mastodon
Color me unimpressed.
-- I needed to do an internet search just to find where the is in Settings. (Hint, it's not called BSI updates, it's called Background Security updates. And it's not a main menu item, instead you need t go to Privacy & Security, scroll all the way to the bottom.)
-- I deliberately turn off all automatic updates. Been doing this for a few years. Still, my iPhone nags me about all releases but at least this leaves the timing of installs *UP TO ME*. Guess what? This one - not part of any updates under, you know, Software Updates - was still turned on. I thought my purchase of hardware meant something more akin to ownership than having things automatically happen without my permission.
I check around 3pm on Mondays and Tuesdays at the Developer site for new downloads. (On occasion I'll check Thursdays too.) This release is not listed. Sigh....
I should have added... I do get why Apple does this. But the only two devices (developer iPhone and iPad) are devices that (a) never leave my house and (b) are used for development and/or NOT the browser inside of it. I feel "safe and secure" without this kind of intrusion. (My personal iPhone and MacBooks are NOT - yet - on OS26.)
I am quite confused. Both my iPhone and my Mac required a restart after applying the update. Why not just make it a minor security release?
BSI seems more useful for updating things like Safari/WebView libraries that potentially only require an app restart.
To clarify, it is true this is not found in the usual Software Updates location, but rather BSI Updates is quite buried at the bottom of the Privacy & Security section.
FWIW this is not new. It was introduced in iOS 16 as Rapid Security Response. They renamed it in the 26es and moved the setting somewhere harder to find (it used to be part of the Software Update screen which is where anyone would expect it to be).
I'm extremely confused by all the reporting about this update. If I'm on 18.7.2 because Apple are being glassholes and don't release newer 18.7 updates for the e.g. the iPhone 14 Pro – am I at risk? I looked through a dozen of articles about this and nowhere could I find a definitive answer to that question. It certainly sounds like it, but that would be so unfathomably pathetic for Apple to do that I'm having a hard time believing it.
