Apple is still in the process of patching a WebKit vulnerability present in both iOS and macOS despite a patch for the flaw that has been available for several weeks, experts have warned. The vulnerability was first discovered by researchers at cybersecurity startup Theori, which also has a proof-of-concept exploit that takes advantage of the bug. According to Theori's team, the problem stems from the Web Audio API's AudioWorklet interface, which allows developers to control, manipulate, render, and output audio.
LaComparacion needs you! We're taking a look at how our readers are using VPNs for an upcoming in-depth report. We'd love to hear from you in the survey below. It won't take more than 60 seconds of your time.
Click here to start the survey in a new window
A patch for the vulnerability was added to upstream WebKit code in early May. Interestingly, however, Theori points out that Apple continues to deliver vulnerable iOS updates nearly three weeks after the patch was released.
huge patch
AppleInsider explains that exploiting the flaw could give attackers the basic components needed to run malicious code on devices. However, the process is not straightforward, as any real-world exploit would still need a way to bypass Pointer Authentication Codes (PACs), which is a mitigation system that requires a cryptographic signature before the code is sent. can run in memory. Regardless of the complexity of exploiting the bug, the real issue here is Apple's inaction despite the public availability of a fix. Ideally, there should be a minimum amount of time between a public patch and a stable release. In this case, however, Apple continues to ship new versions of iOS alongside the vulnerable, unpatched version of WebKit. Threat actors have been known to take advantage of this huge patch; the window between patching a vulnerability and sending the patch to users. “This bug proves once again that the patch gap is a significant danger with open source development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a new version of iOS remains vulnerable weeks after the patch is released, ”theori researchers conclude. Via Apple Insider