Apple released iOS 14.5.1 and other software updates in late April that brought important security fixes to WebKit, which is the engine behind Safari and other web browsers on iOS. However, security researchers point out that there is still an exploit in WebKit that is active even in the latest versions of iOS and macOS.
As pointed out by security firm Theori (via ArsTechnica), the vulnerability is related to AudioWorklet, which manages audio output on web pages, and causes Safari to crash. With the right commands, attackers can use this exploit to execute malicious code on the iPhone, iPad, and Mac.
However, what really intrigues researchers is that a fix for this vulnerability was revealed almost three weeks ago by developers outside of Apple, as seen on the WebKit repository on GitHub. Even so, Apple hasn’t yet included the fix in the latest versions of its operating systems. “We didn’t expect Safari to still be vulnerable weeks after the patch was public,” said one of the researchers.
As Theori pointed out, the window between a public patch and its inclusion in official releases should be “as small as possible,” but for some unknown reason Apple has yet to acknowledge the problem.
Apple is currently working on iOS 14.7 and other software updates, which are currently available as beta releases for developers — so perhaps the company will finally include the fix to the WebKit exploit with these updates.
This exploit was a fun challenge. We didn’t expect Safari to still be vulnerable weeks after the patch was public, but here we are… https://t.co/jkEH7w498Q
— Tim Becker (@tjbecker_) May 26, 2021
More details about the vulnerability can be found on Theori’s website.