Safari’s WebKit rendering engine has a flaw that could crash the browser and enable malicious code execution, and Apple hasn’t yet patched it even though a fix’s been available for weeks.
- A fix for a WebKit flaw has been available for weeks.
- Apple hasn’t patched the vulnerability despite the available fix.
- The flaw is still present in iOS, iPadOS and macOS.
Apple, WebKit vulnerabilities and patch-gapping
A new report from ArsTechnica explains that Safari’s WebKit engine has an exploitable flaw on iOS, iPadOS and macOS that could allow malicious code to execute on your iPhone, iPad, iPod touch and Mac. Curiously, a fix for the Webkit flaw has been available for three weeks.
However, Apple’s yet to implement it.
Recent Apple OS updates include fixes for several vulnerabilities found in WebKit, but not for this particular flaw even though it could open the door to further malicious attacks. The company is currently testing iOS 14.7 with its registered developers and public beta testers, but it’s unclear if the updates include any patches for the vulnerability.
A bug in AudioWorklet seems to permit malicious code to execute on the device. AudioWorklet is a WebKit feature that’s responsible for rendering audio from web pages.
A fix for the AudioWorklet bug has been developed by third-party developers several weeks ago, but it’s unclear why Apple hasn’t implemented it already. Of course, the company could easily inclue neccessary fixes in upcoming operating system updates.
WebKit is a layout engine created by Apple that’s used by Safari and some other web browsers.
“We didn’t expect Safari to still be vulnerable weeks after the patch was public,” vulnerability researcher Tim Becker of cybersecurity startup Theori commented on Twitter.
This exploit was a fun challenge. We didn't expect Safari to still be vulnerable weeks after the patch was public, but here we are… https://t.co/jkEH7w498Q
— Tim Becker (@tjbecker_) May 26, 2021
Becker opines in a post published on the Theori blog that the existence of the yet-to-be-patched WebKit vulnerability yet again demonstrates that “patch-gapping is a significant danger with open source development.”
Patch-gapping refers to the window of time between a public patch for a security flaw and a stable release that integrates the patch into the main software. This window should be as small as possible to prevent bad actors from exploiting the vulnerability on devices in the wild.
“Ideally, the window of time between a public patch and a stable release is as small as possible.” Becker wrote. “In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”