Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
嗯，用户让我用中文总结一下这篇文章，控制在100字以内，而且不需要用“文章内容总结”这样的开头。好的，我先快速浏览一下文章内容。文章主要讲的是苹果发布了Background Security Improvements，修复了WebKit中的一个安全漏洞。这个漏洞影响了iOS、iPadOS和macOS系统。漏洞编号是CVE-2026-20643，属于跨域问题，可能被用来绕过同源策略。苹果通过改进输入验证来修复这个问题，并且提到了安全研究员Thomas Espach的贡献。另外，苹果还介绍了Background Security Improvements的机制，它是通过较小的安全补丁而不是大型更新来发布安全修复。用户可以在设置中控制这个功能的自动安装。总结的时候需要涵盖苹果发布补丁、修复WebKit漏洞、影响的系统版本、以及Background Security Improvements的特点。同时要注意字数限制在100字以内。可能的结构是：苹果发布安全改进补丁，修复WebKit漏洞（CVE-2026-20643），影响iOS、iPadOS、macOS部分版本。该漏洞可能导致跨域攻击绕过同源策略。补丁通过改进输入验证解决，并支持未来版本的持续更新。 </think> 苹果发布Background Security Improvements补丁，修复WebKit跨域漏洞（CVE-2026-20643），影响iOS 26.3.1、iPadOS 26.3.1及macOS 26.3.1/26.3.2版本。该漏洞可能被用于绕过同源策略进行攻击。补丁通过改进输入验证解决，并支持未来版本的持续更新。 2026-3-18 06:31:0 Author: thehackernews.com(查看原文) 阅读量:4 收藏

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS.

The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content.

The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming.

Apple notes that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuing them as part of larger software updates.

The feature is supported and enabled for future releases starting with iOS 26.1, iPadOS 26.1, and macOS 26. In cases where compatibility issues are discovered, the improvements may be temporarily removed and then enhanced in a subsequent software update, Apple adds.

Users can control Background Security Improvements via the Privacy and Security menu in the Settings app. To ensure that they are automatically installed, it's advised to keep the "Automatically Install" option on.

It's worth noting that if users opt to have this setting disabled, they will have to wait until the improvements are included in the next software update. Viewed in that light, the feature is analogous to Rapid Security Response, which it introduced in iOS 16 as a way to install minor security updates.

"If a Background Security Improvement has been applied, and you choose to remove it, your device reverts to the baseline software update (for example, iOS 26.3) with no Background Security Improvements applied," Apple noted in a help document.

The development comes little over a month after Apple issued fixes for an actively exploited zero-day impacting iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS (CVE-2026-20700, CVSS score: 7.8) that could result in arbitrary code execution.

Last week, the iPhone maker also expanded patches for four security flaws (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that were weaponized as part of the Coruna exploit kit.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/03/apple-fixes-webkit-vulnerability.html
如有侵权请联系:admin#unsafe.sh