Apple WebKit exploit unpatched in iOS and macOS for three weeks
Software vulnerabilities, even minor ones, might seriously endanger the safety of a system and open the door for malicious actors, which is not that unusual nowadays. These vulnerabilities are typically being addressed sooner or later, however, certain bugs are time-sensitive and their fixes must be implemented as soon as possible.
Sadly, security researchers have noted that Apple has not considered a particular vulnerability to being that urgent, since it has not implemented the available fix to its iOS and macOS. What the researchers point out is a WebKit problem that not only is responsible for crashes in Safari but also opens a door for attackers to exploit it.
WebKit is an engine that Apple utilizes in its Safari browser, as well as to show web pages or HTML information in applications. Both the mobile and the desktop platforms of the iPhone maker have WebKit embedded, meaning that any security weakness related to it might directly impact these platforms and their safety. A particular bug in WebKit’s AudioWorklet identified and fixed by open source developers weeks ago is what has been concerning security professionals from Theori, who have published research on how this bug can be exploited.
According to their findings, AudioWorklet is a feature that is generally responsible for playing audio, but a bug in it allows hackers to run harmful code on unpatched devices. The hackers still need to first circumvent a number of exploit mitigation mechanisms, which are harder to bypass, in order to take advantage of this WebKit flaw.
However, what Theori researchers want to point out is the time gap between the patch release and its implementation in the systems of Apple. In the case of the WebKit AudioWorklet flaw, the researchers have found a time gap of more than three weeks between having the fix available at the source and making it available to end-users where Apple is yet to implement it.
Security professionals are commenting that this is not the only case where Apple has a number of vulnerabilities with available fixes pending to be implemented. And since WebKit impacts practically every Apple device, we should hope that the patches of these flaws are set in place quickly.