Apple released iOS 14.5.1 and other software updates in late April that brought important security fixes to WebKit, which is the engine behind Safari and other web browsers on iOS. However, security researchers point out that there is still an exploit in WebKit that is active even in the latest versions of iOS and macOS.

As pointed out by security firm Theori (via ArsTechnica), the vulnerability is related to AudioWorklet, which manages audio output on web pages, and causes Safari to crash. With the right commands, attackers can use this exploit to execute malicious code on the iPhone, iPad, and Mac.

However, what really intrigues researchers is that a fix for this vulnerability was revealed almost three weeks ago by developers outside of Apple, as seen on the WebKit repository on GitHub. Even so, Apple hasn’t yet included the fix in the latest versions of its operating systems. “We didn’t expect Safari to still be vulnerable weeks after the patch was public,” said one of the researchers.

As Theori pointed out, the window between a public patch and its inclusion in official releases should be “as small as possible,” but for some unknown reason Apple has yet to acknowledge the problem.

This exploit was a fun challenge. We didn’t expect Safari to still be vulnerable weeks after the patch was public, but here we are… https://t.co/jkEH7w498Q

— Tim Becker (@tjbecker_) May 26, 2021

Apple is currently working on iOS 14.7 and other software updates, which are currently available as beta releases for developers — so perhaps the company will finally include the fix to the WebKit exploit with these updates.

More details about the vulnerability can be found on Theori’s website.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

About the Author

Another exploit found in WebKit hasn’t yet been fixed in the latest iOS and macOS versions
Source:
Source 1

LEAVE A REPLY

Please enter your comment!
Please enter your name here