Apple released iOS 26.5.2 with fixes for 25+ security issues—primarily in WebKit and WebRTC—across iPhone, iPadOS, and macOS; no new features, update is recommended for all users, with official security notes linked and the release rolling out ahead of iOS 26.6.
Apple has begun rolling out Background Security Improvements that run in the background between major OS updates, delivering lightweight security releases for WebKit, Safari, Mail and App Store across iPhone, iPad and Mac. The feature is supported on iOS 26.1, iPadOS 26.1 and macOS 26.1 and is enabled by default with an option to disable in Settings; the first rollout began March 17, 2026, with additional background updates expected between releases.
Apple is rolling out Background Security Improvements—lightweight, between-update patches for Safari, WebKit, and other system libraries. These patches address vulnerabilities (including a Same Origin Policy bypass) without requiring a full OS update. To use them, enable Background Security Improvements in Settings > Privacy & Security (or System Settings on macOS) and install manually or automatically. The first updates appeared as iOS 26.3.1 / macOS 26.3.2 updates.
Apple released the first Background Security Improvements update to fix a WebKit cross-origin flaw (CVE-2026-20643) that could bypass the Same Origin Policy. The lightweight patch arrives outside the normal OS update cycle for iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2, and Apple recommends not uninstalling it since removing patches reverts the device to baseline security.
Apple has started delivering Background Security Improvements—small, lightweight security patches for Safari/WebKit and other system libraries—across macOS, iOS, and iPadOS. These updates run in the background and require a device restart to complete, with the inaugural patch targeting WebKit on devices running iOS 26.1, iPadOS 26.1, and macOS 26.1. Apple says these patches install faster than full software updates.
Apple warns of two critical WebKit flaws that could let hackers take control of iPhones or iPads via malicious websites. A patch is available in iOS 26.2 / iPadOS 26.2, but with roughly 800 million devices still unpatched, many users remain at risk. The most vulnerable models include iPhone 11 and newer and various iPad generations. The recommended defense is updating to the latest software (automatic updates should already protect most users; otherwise, manually install iOS 26.2).
Japan's Mobile Software Competition Act will require Apple to allow non-WebKit browsers on the iPhone, promoting competition and enabling browsers like Chrome and Firefox to use alternative engines. The law takes effect in December and builds on recent EU regulations, with similar expectations in the UK. Apple has already made some changes in the EU, but Japan's law aims to ensure a more open environment for web browsers on iOS.
Despite a 16-month-old EU ruling allowing iOS developers to use alternative browser engines, Apple continues to impose restrictions that hinder competition, according to the Open Web Advocacy group. These restrictions include legal and technical barriers that force developers to create separate apps for different regions, limiting user base growth and competition with Safari, which significantly contributes to Apple's revenue. Although support for non-WebKit browsers was added in iOS 17.4, critics argue that Apple's restrictions still prevent fair competition, with ongoing regulatory pressure in the UK.
Apple has released iOS 18.1.1, urging users to download it immediately due to critical security patches. The update addresses vulnerabilities in JavaScriptCore and WebKit, which could allow arbitrary code execution and cross-site scripting attacks, respectively. These issues were identified by Google's Threat Analysis Group, highlighting the importance of updating to protect against potential exploits.
Apple has released security updates to address two zero-day vulnerabilities actively exploited in cyberattacks targeting Mac users. These vulnerabilities, found in WebKit and JavaScriptCore, could allow attackers to execute arbitrary code by tricking devices into processing malicious web content. The attacks, reported by Google's Threat Analysis Group, suggest possible involvement of government-backed actors. Apple urges users to update their devices immediately to protect against potential exploitation.
Mozilla expresses disappointment with Apple's new rules in the EU, which allow browsers like Firefox to use their own engines on iOS but only in the EU, making it challenging for browsers to manage different versions. The change means third-party browsers could become fully functional on iOS without WebKit limitations, but Mozilla argues that Apple's proposals create barriers to true browser competition on iOS. Other developers, including Epic and Spotify, have also criticized the new rules, which are pending approval by the EU Commission.
Apple has released iOS 17.3, urging all iPhone users to update immediately due to the fix of 16 security issues, including a vulnerability in WebKit already being exploited in real life attacks. The update also includes Stolen Device Protection and is crucial for older devices, as Apple no longer supports them with security updates. Additionally, iOS 16.7.5 and iOS 15.8.1 updates have been issued for older iPhone models, fixing multiple security issues, some of which are already being exploited. It is recommended for all iPhone users to update their devices to the latest software immediately.
Apple has released security updates to fix the first zero-day vulnerability exploited in attacks this year, impacting iPhones, Macs, and Apple TVs. Tracked as CVE-2024-23222, the WebKit confusion issue could allow attackers to execute arbitrary malicious code on vulnerable devices through a malicious web page. While the company is aware of in-the-wild exploitation, it has yet to attribute the discovery to a specific researcher. Users are advised to install the latest security updates to protect against potential attack attempts, with a comprehensive list of impacted devices provided.
Apple has released security updates for iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address multiple security flaws, including two recently disclosed zero-days. The updates patch vulnerabilities in various components such as Bluetooth, AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. Notable fixes include a critical Bluetooth vulnerability that could allow keystroke injection and two WebKit flaws that could lead to arbitrary code execution and a denial-of-service condition. The updates also include additional security enhancements, such as Siri bug fixes and Contact Key Verification for iMessage conversations. Apple has also released updates to address security issues in tvOS and watchOS, including two WebKit vulnerabilities actively exploited in the wild.
Apple has released emergency security updates to address two zero-day vulnerabilities found in the WebKit browser engine, which is used by Safari across Apple's platforms. These flaws could allow attackers to access sensitive data and execute arbitrary code on unpatched devices. The updates cover older iPhones, Apple Watch, and Apple TV models. The vulnerabilities were discovered by a security researcher from Google's Threat Analysis Group (TAG), and while Apple has not provided details on their exploitation, Google TAG has previously identified zero-day flaws used in state-sponsored surveillance attacks. This marks the 20th zero-day vulnerability patched by Apple this year.