You Should Turn On This New Security Update Feature on Your iPhone and Mac
Security updates aren’t as flashy or fun as feature updates, but they are just as, if not more, important to install. They include fixes for vulnerabilities in your device’s operating system that could expose you to hacking. By fixing these vulnerabilities as quickly as possible, you reduce the risk to your device and its data.
Traditionally, Apple has largely limited its security updates to its general software releases, large and small. Rather than releasing iOS 26 and a subsequent security patch, Apple is simply bundling the two together. Even if you don’t (or can’t) update to the latest version of iOS, Apple will add the most important fixes to new updates for older versions of iOS (e.g. iOS 18.7.6 or iOS 15.8.7). But the company has been playing around with individual security releases in recent years, especially for particularly timely patches. They started with Rapid Security Responses, which were updates specifically labeled as such, like iOS Security Response 16.4.1(a). I thought this was a great idea, especially since other platforms, like Android and Windows, already do this for their users.
Although it seemed like a good idea, Apple hasn’t released one in a while. Instead, the company has largely returned to releasing security updates alongside regular software updates, whether or not it has new features to include in said update. It seems that the company is now trying a new type of security update, rather hidden.
Apple’s background security improvements are a new type of security update
Originally announced with iOS 26.1, iPadOS 26.1, and macOS 26.1, Apple is now rolling out “background security improvements.” According to the company, these are “light security releases” for things like Safari, WebKit (the framework Safari is built on), and other system libraries. Like Security Rapid Responses, the idea is to release smaller patches between software updates. This way, Apple doesn’t need to release iOS 26.3.2 to update Safari; you can stay on iOS 26.3.1 and still update Safari with the appropriate patch.
In fact, this feature just received its first update this week. On Tuesday, Apple released version 26.3.1 (a) for iOS, iPad and macOS. (There is also a macOS 26.3.2(a) for MacBook Neos running macOS 26.3.2). This update addresses a WebKit flaw that allows malicious actors to bypass the same-origin policy if you click on malicious web content. The same origin policy generally prevents malicious sites from accessing other sites you may have open. For example, if you open a malicious site, the same origin policy should prevent it from accessing your Gmail inbox open in another tab. But this flaw allowed bad actors to get around this problem.
What do you think of it so far?
This update is available on all Apple devices running the latest versions of Apple operating systems, but you won’t find it if you check your software update settings. It’s not because it’s still being rolled out; rather, you need to ensure that background security enhancements are enabled in order to open these new security updates.
How to enable background security enhancements
On your Apple device, open Settings (System Settings on macOS), then go to Privacy and security. Here, scroll to the bottom of the page and then choose Background security improvements. Here, make sure “Install Automatically” is enabled. If so, the update should install itself, but it’s unclear when it will.
You can also install the update manually. Under this toggle, you will see the latest update of background security improvements. Choose “Install”, enter your passcode or password and your device will start downloading the update. When it is ready, you can click “Restart and Install”.
