Apple devices remain vulnerable to a flaw that could permit malicious code to run
Safari’s WebKit rendering engine has a flaw that could crash the browser and enable malicious code execution, and Apple hasn’t yet patched it even though a fix’s been available for weeks.
STORY HIGHLIGHTS:
- A fix for the WebKit flaw has been available for weeks.
- However, the flaw is still present in iOS, iPadOS and macOS.
- Apple fails to patch the WebKit flaw despite the available fix.
Apple, WebKit flaws and patch-gapping
A new report from Ars Technica explains that Safari’s WebKit engine has a flaw on iOS, iPadOS and macOS that could allow malicious code to execute on your iPhone, iPad, iPod touch and Mac devices. Curiously, a fix for the flaw has been available for three weeks now.
However, Apple’s yet to implement it.
Recent Apple OS updates include fixes for several vulnerabilities in WebKit, but not for this particular flaw even though it could open the door to further malicious attacks. The company is currently testing iOS 14.7 with its registered developers and public beta testers, but it’s unclear if the updates include a fix for the vulnerability.
A bug in AudioWorklet seems to permit malicious code to execute on the device. AudioWorklet is a WebKit feature that’s responsible for rendering audio from web pages.
A fix for the AudioWorkelt bug has been developed by third-party developers several weeks ago, but it’s unclear why Apple hasn’t implemented it already. Of course, the company could easily implement a fix for the vulnerability in upcoming operating system updates.
WebKit is a layout engine created by Apple that’s used by Safari and many other web browsers.
“We didn’t expect Safari to still be vulnerable weeks after the patch was public,” vulnerability researcher Tim Becker of cybersecurity startup Theori commented on Twitter.
This exploit was a fun challenge. We didn’t expect Safari to still be vulnerable weeks after the patch was public, but here we are… https://t.co/jkEH7w498Q
— Tim Becker (@tjbecker_) May 26, 2021
The security researcher goes on to opine in a post published on the Theori blog that the existence of this yet-to-be-patched vulnerability in WebKit yet again demonstrates that “patch-gapping is a significant danger with open source development.”
Patch-gapping refers to the window of time between a public patch for a security flaw and a stable release that integrates the patch into the main software. This window should be as small as possible to prevent bad actors from exploiting the vulnerability on devices in the wild.
“Ideally, the window of time between a public patch and a stable release is as small as possible.” Becker wrote. “In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”
Source link: https://www.idownloadblog.com/2021/05/27/apple-webkit-safari-flaw-patch-gapping/
Leave a Reply