According to Theori, an exploitable WebKit vulnerability is still present on the latest version of iOS and macOS even though a fix has been available for ‘weeks.’ WebKit is the engine used by Safari and other web browsers on iOS.
The vulnerability was first reported by security firm Theori. The vulnerability is related to the AudioWorklet function in WebKit. AudioWorklet is responsible for managing audio output on web pages. According to Theori, exploiting the vulnerability can give attackers “the basic building blocks to remotely execute malicious code on affected devices.”
The vulnerability was patched in early May, according to the WebKit repository on GitHub. However, the most surprising thing is that even though the fix for the vulnerability has been available for weeks, Apple is yet to patch it in the latest version of iOS and macOS. The reports claim that the vulnerability might have been ‘actively exploited.’
Apple has released several iOS updates in the past few months patching Webkit vulnerabilities. iOS 14.4.2 was released two weeks after iOS 14.4.1 that patched ‘critical’ WebKit fixes. And the more recent iOS 14.5.1 was released only a week after iOS 14.5, fixing critical Webkit vulnerabilities.
This exploit was a fun challenge. We didn't expect Safari to still be vulnerable weeks after the patch was public, but here we are… https://t.co/jkEH7w498Q
— Tim Becker (@tjbecker_) May 26, 2021
The window of fix release between the public patch and stable release should be as small as possible, as Theori reports. However, it is surprising that Apple still has not fixed the bug even when the fix has been available for three weeks. “We didn’t expect Safari to still be vulnerable weeks after the patch was public, but here we are… ” Becker wrote on Twitter.
Last week, Apple released macOS Big Sur 11.4 that patched a bug that allowed hackers to take screenshots of Mac’s screen with the user’s consent. Apple has been active in fixing zero-day vulnerabilities, however, it remains to be seen when the fix for AudioWorklet is released.
[Via ArsTechnica]