Rechercher dans ce blog

Wednesday, May 26, 2021

Exploitable WebKit flaw still present in iOS and macOS despite available fix - AppleInsider

ios.indah.link

Apple has not yet patched a WebKit vulnerability present in iOS and macOS despite a fix for the flaw being available for weeks.

The vulnerability, first discovered by security researchers at cybersecurity startup Theori, resides in the implementation of AudioWorklets in WebKit. Although the bug could cause Safari crashes, Theori says it's also an exploitable confusion-type flaw.

The vulnerability stems from AudioWorklet, an interface that allows developers to control, render, and output audio. However, exploiting the flaw could give attackers the building blocks to execute malicious code on devices.

On the other hand, a bad actor would still need to bypass Pointer Authentication Codes, or PAC, to actually pull off an attack in the real world. PAC is a mitigation system that requires a cryptographic signature before code can be executed in memory.

Additionally, the flaw was patched by open-source developers in early May. Despite the availability of the fix, the vulnerability still exists in the latest versions of iOS and macOS, Theori researcher Tim Becker said.

"Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public," Becker wrote.

According to Becker, the lack of a fix is an example of "patch-gapping," which he says is a significant danger with open source development.

According to Google's Project Zero, there have been a total of seven vulnerabilities in Apple's systems that have been actively exploited in the wild since the start of 2021. Many of those now-patched flaws existed in WebKit.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

The Link Lonk


May 27, 2021 at 04:04AM
https://ift.tt/3fHvJ60

Exploitable WebKit flaw still present in iOS and macOS despite available fix - AppleInsider

https://ift.tt/2ZaIe2Q
iOS

No comments:

Post a Comment

Featured Post

Microsoft’s xCloud game streaming is now widely available on iOS and PC - The Verge

ios.indah.link Microsoft’s xCloud, the cloud game streaming component of Xbox Game Pass Ultimate that doesn’t require a console to use, is ...

Popular Posts