WebKit security flaw on both iOS and macOS still unpatched by Apple despite available fix

By Mayank Sharma
published

This kind of patch-gaping could lead to serious security issue, believe security researchers

Privacy
(Image credit: Shutterstock / Valery Brozhinsky)

Apple is yet patch a WebKit vulnerability present in both iOS (opens in new tab) and macOS (opens in new tab) despite a fix for the flaw being available for several weeks now, experts have warned.

The vulnerability was first discovered by researchers at cybersecurity (opens in new tab) startup Theori, who also has a proof-of-concept exploit that takes advantage of the bug. 

According to the Theori team, the issue stems from the AudioWorklet interface of the Web Audio API that allows developers to control, manipulate, render, and output audio (opens in new tab)

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

A patch for the vulnerability was added to the upstream WebKit code early in May. Strangely however, Theori notes that Apple continues to ship vulnerable iOS updates almost three weeks after the patch was made public.

Patch gaping 

AppleInsider explains that exploiting the flaw could give attackers the building blocks to execute malicious code on devices. 

The process though isn’t straightforward as any exploitation in the real world would still need a way to bypass the Pointer Authentication Codes (PAC), which is a mitigation system that requires a cryptographic signature before code can be executed in memory. 

Irrespective of how complex it is to exploit the bug, the real issue here is Apple’s inaction despite the public availability of a patch. 

Ideally, there should be a minimal amount of time between a public patch and a stable release. In this case though, Apple continues to ship new versions of iOS with the unpatched vulnerable version of WebKit. 

Threat actors are known to take advantage of this patch gaping; the window between fixing a vulnerability and shipping the patch to the users.

“This bug yet again demonstrates that patch-gapping is a significant danger with open source (opens in new tab) development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public,” conclude Theori researchers.

Via AppleInsider (opens in new tab)

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

See more Computing news