Apple has failed to secure a “type confusion†vulnerability residing in the WebKit used in Safari browser on iOS and macOS. Instead of promptly bridging the gap, the company has been sitting on the open-source fix and indirectly contributing to patch-gapping.
Weeks after Theori originally discovered and notified Apple of a security flaw in both iOS and macOS, two of the most popular mobile and desktop operating systems, the company still hasn’t issued a fix for the former. This vulnerability is part of multiple other bugs existing in WebKitOpens a new window , the engine behind Apple’s popular Safari browser used across iPhones, iPads, and Macs.
Apple fixed two zero-day vulnerabilities earlier this month, one of which was a memory corruption flawOpens a new window , while the other an integer overflow bugOpens a new window , which could enable attackers to target a vulnerable device and execute arbitrary code using malicious web content over SafariOpens a new window .
Tracked CVE-2021-30665 and CVE-2021-30663, patches to both of these vulnerabilities, which Apple says were exploited in the wild, were issued for iOS 14.5.1Opens a new window and macOS Big Sur 11.3 updatesOpens a new window on May 3.
The current vulnerability in question is a third flaw that remained unpatched even as the California-based provider of the second-biggest mobile and computer operating systems in the world rolled out its iOS 14.6 updatesOpens a new window earlier this week besides unscheduled patches. What’s more is the fact that Apple has been sitting on the fix for this vulnerability, which is already available for three weeks.
The open-source fix was developed by developers outside of Apple and has been available on GitHubOpens a new window since May 7.
This exploit was a fun challenge. We didn’t expect Safari to still be vulnerable weeks after the patch was public, but here we are…
— Tim Becker (@tjbecker_) May 26, 2021Opens a new window
See Also: 12 New FragAttack Vulnerabilities Risk Every Wi-Fi Device Made Since 1997
Vulnerability researcher at Theori Tim Becker noted in a blog postOpens a new window , “This bug yet again demonstrates that patch-gapping is a significant danger with open source development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.â€
According to vulnerability intelligence provider Exodus IntelligenceOpens a new window , patch-gapping is the practice of exploiting vulnerabilities in open-source software that are already fixed (or are in the process of being fixed) by the developers before the actual patch is shipped to users. Users of the vulnerable product — WebKit in this case — remain at risk from the security flaw within this window, which can range from days to months.
WebKit is a rendering engine to draw the HTML/CSS web page in browsers and applications. Besides Safari in iOS and macOS, WebKit is also leveraged in Mail, Apple App Store, PlayStationOpens a new window consoles (PS3 and ahead), Tizen mobile OS, and a browser within the Amazon Kindle e-book reader, although neither Theori nor Apple said these products are impacted.
Alternatives to WebKit such as Gecko, EdgeHTML, Blink are implemented in Safari competitors Mozilla FirefoxOpens a new window , Microsoft Edge, Chrome respectively.
The WebKit Vulnerability
The vulnerability exists due to a type confusion error in the implementation of AudioWorkletOpens a new window , an interface in the Web Audio API used primarily to process audio scripts. AudioWorket allows users to manage audio output on Safari and other browsers using WebKit. This includes controlling, rendering, and manipulating audio.
According to Common Weakness EnumerationOpens a new window (CWE), “type confusion†occurs when a program accesses any system resource using an incompatible type. So when a program initializes a resource such as an object or a variable using one type, but later accesses that resource with a type that is incompatible with the original type, it could trigger logical errors due to the absence of expected properties.
Type confusion bugs can enable access to out-of-bounds system memory, particularly in applications written in languages without memory safety, such as C and C++. WebKit is written in C++.
This vulnerability was initially thought to crash the Safari browser when invoked. Closer inspection by Theori revealed that it could be exploited under malicious intent. Exploiting it could be the stepping stone to carrying out malicious operations by remote code execution. Fortunately, attackers would still have to overcome Pointer Authentication Codes (PAC) before they get into an iOS or Mac system.
Pointer authentication is a hardware-based threat aversion mechanism wherein any attempt to execute any program or code within the WebKit necessitates a cryptographic signature. With PAC enabled, every code pointer is checked for a valid signature before the control flow of execution is transferred to the code pointer. PAC keys are kept in registers and are thus inaccessible to a threat actor seeking to forge valid pointers.
“Although this mitigation is still rarely a bottleneck for attackers, bypasses should nonetheless be considered security bugs in their own right,†explained Theori. For a more technical drill-down of the type confusion vulnerability, refer to Theori’s analysis hereOpens a new window .
See Also: VMware Notifies Critical RCE Vulnerability in Default Installs of All vCenter Servers 2021
Winding Up
Despite a nice bit of serendipity with PAC posing as a hindrance to potential attackers, the bottom line is that Apple is taking way too much time to fix a known flaw, that has a known fix. Moreover, this is the eighth zero-day vulnerabilityOpens a new window plaguing Apple products in the 2021 calendar year, and we’re not even halfway through it. At the same time, the pace of fixing these flaws has been lamentably subpar with the rate of discovery.
It is unclear why exactly Apple is delaying patching the vulnerability and directly contributing to increased chances of patch-gapping. The company has not provided a timeline of a relevant patch, however, the most probable rollout of patches should happen with the release of the iOS 14.7 update currently in beta.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!