The vulnerability was first discovered by researchers at cybersecurity startup Theori, who also has a proof-of-concept exploit that takes advantage of the bug.
According to the Theori team, the issue stems from the AudioWorklet interface of the Web Audio API that allows developers to control, manipulate, render, and output audio.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
A patch for the vulnerability was added to the upstream WebKit code early in May. Strangely however, Theori notes that Apple continues to ship vulnerable iOS updates almost three weeks after the patch was made public.
AppleInsider explains that exploiting the flaw could give attackers the building blocks to execute malicious code on devices.
The process though isn’t straightforward as any exploitation in the real world would still need a way to bypass the Pointer Authentication Codes (PAC), which is a mitigation system that requires a cryptographic signature before code can be executed in memory.
Irrespective of how complex it is to exploit the bug, the real issue here is Apple’s inaction despite the public availability of a patch.
Ideally, there should be a minimal amount of time between a public patch and a stable release. In this case though, Apple continues to ship new versions of iOS with the unpatched vulnerable version of WebKit.
Threat actors are known to take advantage of this patch gaping; the window between fixing a vulnerability and shipping the patch to the users.
“This bug yet again demonstrates that patch-gapping is a significant danger with open source development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public,” conclude Theori researchers.