Bugs in software aren’t exactly out of the ordinary, even bugs that can compromise the security of a system. Of course, those get fixed eventually but some bugs are time-sensitive and their patches need to be rolled out as quickly as possible. Unfortunately, one security researcher points out that Apple may not see one such vulnerability as an urgent matter as it hasn’t rolled out a fix to iOS and macOS that would plug up a WebKit bug that not only causes Safari to crash but also leaves a door open for attackers to exploit.
WebKit is the engine that Apple uses not just for its Safari web browser but also for displaying web pages or HTML content in apps. As such, it is present in almost all its platforms, both mobile and desktop, which means that any security flaw in it could affect all those platforms as well. That was the case with a bug in WebKit’s AudioWorklet that was reported and fixed by open source developers weeks ago.
As the mane suggests, AudioWorklet is responsible for playing audio content but the vulnerability would allow hackers to eventually execute malicious code on exposed devices. In reality, however, those hackers would still have to go through hoops to actually make unauthorized code run. More specifically, the hacker would have to bypass exploit mitigation systems first, and those are harder to do than taking advantage of this WebKit flaw.
What security firm Theori would like to emphasize, however, is the patch-gapping danger that Apple is risking. Patch-gapping refers to the brief window of opportunity between having a fix available at the source and having that fix finally made available to users. In this case, the WebKit AudioWorklet bug was patched by developers outside of Apple but the company has yet to actually roll it out.
As Ars Technica also points out, this isn’t an isolated case. Apple has a running tally of zero-day vulnerabilities that it still has to fix, with six out of eight of those found inside WebKit. As it affects almost all of Apple’s devices, one would hope that it also moves faster in plugging up those holes.