Exploitable WebKit flaw still present in iOS and macOS despite available fix

Credit: WebKit

Apple has not yet patched a WebKit vulnerability present in iOS and macOS despite a fix for the flaw being available for weeks.

The vulnerability, first discovered by security researchers at cybersecurity startup Theori, resides in the implementation of AudioWorklets in WebKit. Although the bug could cause Safari crashes, Theori says it's also an exploitable confusion-type flaw.

The vulnerability stems from AudioWorklet, an interface that allows developers to control, render, and output audio. However, exploiting the flaw could give attackers the building blocks to execute malicious code on devices.

On the other hand, a bad actor would still need to bypass Pointer Authentication Codes, or PAC, to actually pull off an attack in the real world. PAC is a mitigation system that requires a cryptographic signature before code can be executed in memory.

Additionally, the flaw was patched by open-source developers in early May. Despite the availability of the fix, the vulnerability still exists in the latest versions of iOS and macOS, Theori researcher Tim Becker said.

"Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public," Becker wrote.

According to Becker, the lack of a fix is an example of "patch-gapping," which he says is a significant danger with open source development.

According to Google's Project Zero, there have been a total of seven vulnerabilities in Apple's systems that have been actively exploited in the wild since the start of 2021. Many of those now-patched flaws existed in WebKit.

Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.