According to a report by a security firm, Apple has yet to fix a security bug present in iPhones and Macs despite releasing the fix at the end of April. The issue resides in WebKit, the browser engine that powers Safari and other browsers on iOS.
More specifically, the issue is in regard to AudioWorklet which manages audio output on web pages and causes Safari to crash repeatedly. With the right set of commands, potential attackers can utilize this to exploit to execute malicious code on iOS, macOS, and even iPadOS.
Security firm points out the vulnerability in iOS and macOS, despite Apple releasing an update just weeks ago
The researcher security firm Theori, via ArsTechnica, said that the flaw is exploitable and even though a fix is available, the bug still resides in iOS and macOS. “Patch-gapping” is the term used to describe the exploitation of a vulnerability during the usually brief window between the time it is fixed and when it becomes available to end-users.
This bug yet again demostrates that patch-gapping is a significant danger with open source development. Ideally, the window of time between a public patch and stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.
The fix for this vulnerability was discovered back three weeks ago by various developers outside of Apple. But, the Cupertino tech giant has not yet included the fix in the latest versions of its operating systems. The window present between a public patch and its insertion in official releases should be as small as possible. However, for various unknown reasons the Cupertino tech giant has not acknowledged this issue.
Writing an exploit is often like programming a very strange machine. We begin with limited capabilities, upon which we build stronger and stronger abstractions, until we have achieved arbitary code execution. The first step is determining what primitives we have to build our abstractions on.
Currently, the tech giant is working on iOS 14.7 among other software updates, which are currently available as beta releases for developers. Maybe the company will provide a fix for WebKit exploit in any one of these updates.
Have you experienced Safari crashing, what are your thoughts about this? Let us know in the comments below.
- Halide praises Apple’s computational software behind M1 iPad Pro’s camera system
- Apple Entrepreneur Camp participants create new collaborative apps for musicians and young coders
- Apple will become the largest purchaser of AMOLED displays in 2021, surpassing Samsung
- M1 iPad Pro users report mini-LED display blooming issues, ‘normal behavior’ says Apple