https://safirsoft.com Exploitable security bug remains in iOS and macOS 3 weeks after upstream fix

WebKit bug that was fixed upstream has yet to find its way into Apple products.

Apple has yet to patch a security bug found in iPhones and Macs despite the availability of a fix almost three weeks ago, a researcher said.

The vulnerability resides in WebKit, the browser engine that powers Safari and all browsers that run on iOS. When it was fixed almost three weeks ago by open source developers outside of Apple, the release notes said that the bug caused Safari to crash. In fact, a researcher from security firm Theori said the flaw is exploitable, and despite the availability of a fix, it still hasn’t made its way into either iOS or macOS.

Mind the gap

“This bug yet again demonstrates that patch-gapping is a significant danger with open source development,” Theori researcher Tim Becker wrote in a post published Tuesday. “Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”

Patch-gapping is the term used to describe the exploitation of a vulnerability during the usually brief window between the time it’s fixed upstream and when it becomes available to end users. In an interview, Becker said that the patch has yet to make its way into macOS as well.

The vulnerability stems from what security researchers call a type confusion bug in the WebKit implementation of AudioWorklet, an interface that allows developers to decrease latency and control, manipulate, render, and output audio data. Exploiting the vulnerability gives an attacker the basic building blocks to remotely execute malicious code on affected devices.

Advertisement

To make the exploitation work in real-world scenarios, however, an attacker would still need to bypass Pointer Authentication Codes, or PAC, an exploit mitigation that requires a cryptographic signature before code in memory can be executed. Without the signature or a bypass, it would be impossible for malicious code written by the WebKit exploit to actually run.

“The exploit builds arbitrary read/write primitives which could be used as part of a larger exploit chain,” Becker said, referring to proof-of-concept attack code his company has released. “It does not bypass PAC. We consider PAC bypasses to be separate security issues and thus should be disclosed separately.”

Theori said company researchers independently discovered the vulnerability but that it had been fixed upstream before they could report it to Apple.

“We didn't expect Safari to still be vulnerable weeks after the patch was public, but here we are... ” Becker wrote on Twitter.

This exploit was a fun challenge. We didn't expect Safari to still be vulnerable weeks after the patch was public, but here we are... https://t.co/jkEH7w498Q

— Tim Becker (@tjbecker_) May 26, 2021

Eight Apple zerodays and counting

Further ReadingZero-click iMessage zero-day used to hack the iPhones of 36 journalistsWhile the threat posed by this vulnerability isn’t immediate, it’s still potentially serious, because it clears a major hurdle required to wage the kinds of in-the-wild exploits that have bedeviled iOS and macOS users in recent months.

According to a spreadsheet maintained by Google’s Project Zero vulnerability research team, seven vulnerabilities have been actively exploited against Apple users since the beginning of the year. The figure rises to eight when including a macOS zeroday that Apple patched on Monday. Six of the eight vulnerabilities resided in WebKit.

Apple representatives didn’t respond to an email seeking comment for this post.

Exploitable security bug remains in iOS and macOS 3 weeks after upstream fix
exploitable-security-bug-remains-in-ios-and-macos-3-weeks.html

https://safirsoft.com Here are a bunch of iOS 15 features that Apple didn’t mention earlier

Here are a bunch of iOS 15 features that Apple didn’t mention earlier

As usual, some of the most intriguing changes weren't necessarily the biggest.

As Apple's annual WWDC conference wraps up, we have a whole week ...

https://safirsoft.com CD Projekt Red says its data is likely circulating online after ransom attack

CD Projekt Red says its data is likely circulating online after ransom attack

Data taken in breach disclosed in February likely related to employees and contractors.

CD Projekt Red, the maker of The Witcher series, Cyberpu...

https://safirsoft.com MySQL 101: Installation, care, and feeding on Ubuntu

MySQL 101: Installation, care, and feeding on Ubuntu

If you've got 15 minutes, we can show you the ropes of basic MySQL management.

One of the tasks nearly any sysadmin frequently encounters is the...

https://safirsoft.com Google Chrome ends its war on address bar URLs—for now, at least

Google Chrome ends its war on address bar URLs—for now, at least

As it turns out, hiding URL information does not help security.

Chrome is ending its war on address bar URLs—at least for now. About a year a...

https://safirsoft.com Android 12’s beautiful color-changing UI already lives up to the hype

Android 12’s beautiful color-changing UI already lives up to the hype

Android 12's "Material You" UI debuts in Beta 2, and we go hands-on.

Android 12 Beta 2 came out this week, and with it, a lot of features we've ...

https://safirsoft.com iOS, web versions of Dark Sky weather app will shut down in 2022

iOS, web versions of Dark Sky weather app will shut down in 2022

Apple already shut down the Android version after acquiring the app last year.

A new blog post from the developers of Apple-owned, hyperlocal we...