WebKit Flaw That Crashes Safari Hasn’t Been Fixed After Almost Three Weeks

A security exploit that could allow malicious code to be run on Macs, iPhones, and iPads hasn’t been fixed after a number of weeks.

A new report from Ars Technica explains that a WebKit flaw on iOS and macOS can cause Safari to crash and could lead to further malicious attacks.

Webkit is what powers Safari and a number of similar web browsers and the bug appears to be related to AudioWorklet which manages audio output from web pages. When exploited, the bug could allow malicious code to be run.

AudioWorklet is responsible for playing audio content, but the vulnerability would allow hackers to eventually execute malicious code on exposed devices. In reality, however, those hackers would still have to bypass exploit mitigation systems first, and those are harder to do than taking advantage of the WebKit flaw.

What security firm Theori would like to emphasize, however, is the patch-gapping danger that Apple is risking. Patch-gapping refers to the brief window of opportunity between having a fix available at the source and having that fix finally made available to users. In this case, the WebKit AudioWorklet bug was patched by developers outside of Apple but the company has yet to actually roll it out.

“This bug yet again demonstrates that patch-gapping is a significant danger with open source development,” Theori researcher Tim Becker wrote in a post published Tuesday. “Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”

As Ars Technica points out, this isn’t an isolated case. Apple has a running tally of zero-day vulnerabilities that it still has to fix, with six out of eight of those found inside WebKit. As it affects almost all of Apple’s devices, one would hope that the Cupertino company also moves faster in plugging up those holes.