Apple Inexplicably Delays Fixing a WebKit Flaw That Has Available Patch and Exploit
- Apple is yet to apply an already available patch on Safari stable, even though multiple exploits are out.
- The exploit of the vulnerability could lead to arbitrary remote code execution due to insufficient checks in memory calls.
- A patch for this was roll-out almost a full month ago, and Apple is yet to make a move.
Researchers at ‘Theori’ report about an exploitable bug in Safari’s WebKit, which was fixed by a patch that came right before discovering the flaw, yet it has still not been delivered to Safari stable. It means that even though a patch is available since last month, Apple’s browser remains vulnerable to exploitation.
To make matters worse, the researchers warn that there are already quite a few public exploits available out there, so they have decided to go deep into it with their own analysis.
The vulnerability is related to “audioworklet”, which was introduced on Safari 14.1 as a problem-solving attempt to address manipulation potential on the WebAudio API system. The problem lies in the lack of check on the return of a memory object, which could enable the bypassing of PAC (Pointer Authentication Codes).
The exploitation of the flaw can potentially lead to arbitrary remote code execution, which is the ultimate "danger scenario." For more practical details on how that would work, check out Theori’s analysis.
With PoC Javascript snippets available freely out there, the situation is quite dangerous, as the researchers warn. The latest Safari security update was 14.1.1, which came out three days ago, and it still doesn’t address the issue. As such, this is the perfect example of the risks that arise from the so-called “patch-gapping,” and Apple can no longer afford to delay this.
As we commented recently, WebKit is a pain for Apple’s security engineers as it has proven to be a constant source of zero-day troubles for the platform. It is understandable that exploit authors put in the extra effort to target Safari’s web engine, as the rewards from this are very significant. Almost every month, we see Apple rushing to plug a hole in WebKit that is already under active exploitation. At least this time, in this particular case, the company had the chance to move before the actors got that opportunity.