Apple Releases “first” Background Security Improvement for macOS, iOS, and iPadOS
Today Apple released the first of its Background Security Improvements (BSI) to Macs, iPhones, and iPads, patching a vulnerability in Safari’s WebKit engine. These updates enhance protection against vulnerabilities without requiring a full system restart. If you are wondering what a Background Security Improvements (BSI) is, that is Background Security Improvements (BSI) is the replacement for Rapid Security Response (RSR) that changed names with the advent of OS 26. The old RSR updates were last used in 2023 with macOS 13.
What Happened
Apple issued a security advisory today disclosing a bug in WebKit, the browser engine that underpins Safari and a wide range of other apps. The flaw, if exploited, could allow a malicious website to potentially access data from a different website open in the same browser session.
The fix was released not as a traditional OS update, but as a lightweight delivery mechanism called a Background Security Improvement (formerly RSR). On macOS Tahoe, the update is identified as BSI (a)-25D771280a, and it bumps Safari from version 26.3.1 (21623.2.7.11.7) to 26.3.1 (21623.2.7.111.2). On iPhones and iPads, the update similarly identifies as iOS/iPadOS 26.3.1 (a).
What Makes BSIs Different
Background Security Improvements are Apple’s solution to a challenge in software security: how do you get critical fixes to users quickly, without the friction of a full OS update?
Traditional OS updates are heavyweight. They require lengthy downloads, reboots, and often get deferred by users for days or weeks. BSIs are designed to be different. Apple describes them as “lightweight” patches aimed at specific software components like Safari, WebKit, and key system libraries that benefit from rapid, ongoing security maintenance.
This new BSIs is available on devices running iOS, iPadOS, and macOS version 26.3.1, and can be found for manual install under Privacy & Security settings, under the Background Security Improvements section. These devices MUST be on the base OS of 26.3.1 to get the (a) BSI patch they can not jump from say 26.2.0 to 26.3.1(a), they must first get the OS 26.3.1 base patch to apply the (a) BSI.
The Vulnerability
The bug lives in WebKit and relates to cross-site data access which is a category of vulnerability that could let a malicious site access the data from another site you have open in Safari. Apple has not indicated that this vulnerability is being actively exploited in the wild.
That said, browser engine vulnerabilities are a perpetual target for attackers, and the speed with which Apple deployed a fix, using this new delivery system, indicates the company considers it a priority.
Next steps to deploy the Background Security Improvement (BSI) via Addigy
Install via Automatic Actions
If you configure the new Update Settings Declaration with Automatic Actions it will send to the macOS 15 and up devices in your policy settings that will automatically install the BSI after the deferral period is up.
Here is an example of this setup where BSI updates are set to auto install the day after they drop. These updates will install on the device when it meets state of charge, free space, and user inactivity criteria.
With the new Update Settings Declaration with Automatic Actions you will see that the Privacy & Security settings, Background Security Improvements section is now managed and auto install is enforced and can not be modified by the end user.
Install via MacManage Prompt
Shoutout to Addigy Community member Tyler Williams who put together a script to prompt end users about the latest macOS security update using the built-in MacManage (Self Service) tool.
Find it in the Addigy Community here: https://app.addigy.com/community/scripts/69b9d95cf6fc47c1ce2ae956
When this script is run the end users will see a prompt letting them know that a security update is required and opens up the System Preferences pane to allow them initiate the update.
