According to a researcher, Apple has yet to fix a security bug in iPhones and Macs, even though a fix was released almost three weeks ago.
The vulnerability resides in WebKit, the browser engine that Safari supports, and any browser that runs on iOS. When the vulnerability was fixed by open source developers outside of Apple nearly three weeks ago, the fix’s release notes stated that the bug caused Safari to crash. A researcher from security firm Theori said the bug was exploitable and, despite the availability of a fix, the bug was still there in iOS and macOS.
Pay attention to the gap
“This error shows once again that patch gapping represents a considerable risk in open source development,” wrote the theori researcher Tim Becker in an article published on Tuesday. “Ideally, the time window between a public patch and a stable version is as small as possible. In this case, a newly released version of iOS will remain vulnerable weeks after the patch is released. “
Patch gapping is the term used to describe the exploitation of a vulnerability during the typically short window of time between when it is remediated upstream and when it is available to end users. In an interview, Becker said that the patch has not yet been included in macOS.
The vulnerability results from a bug in WebKit’s implementation of AudioWorklet, an interface that security researchers have known as a type confusion bug, an interface that allows developers to control, edit, render, and output audio and reduce latency. The exploitation of the vulnerability gives an attacker the building blocks to remotely execute malicious code on affected devices.
In order for the exploitation to work in real-world scenarios, however, an attacker must still bypass Pointer Authentication Codes (PAC), an exploit mitigation system that requires a cryptographic signature before code can be executed in memory. Without the signature or a bypass, it would be impossible for malicious code written by the WebKit exploit to actually run.
“The exploit creates arbitrary read / write primitives that can be used as part of a larger exploit chain,” said Becker, referring to the proof-of-concept attack code published by his company. “PAC is not bypassed. We consider PAC bypasses to be separate security issues and should therefore be disclosed separately. “
Theori said that corporate researchers discovered the vulnerability independently, but had it fixed up front before they could report it to Apple.
“We didn’t expect Safari to be vulnerable weeks after the patch was released, but here we are …” Becker wrote on Twitter.
This exploit was a fun challenge. We didn’t expect Safari to be vulnerable weeks after the patch was released, but here we are … https://t.co/jkEH7w498Q
– Tim Becker (@tjbecker_), May 26, 2021
Eight Apple Zero-Days and Counting
While the threat from this vulnerability is not immediate, it is potentially serious as it removes a significant hurdle required to tackle the kind of in-the-wild exploits that iOS and macOS users have experienced in recent years Months.
According to a table maintained by Google’s Project Zero vulnerability research team, seven vulnerabilities have been actively exploited against Apple users since the beginning of the year. The number rises to eight if you include a macOS zero-day that Apple patched on Monday. Six of the eight vulnerabilities were in WebKit.
Apple representatives did not respond to an email requesting a comment on this post.