IT Security

Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

A fix that has been made available for weeks to patch a flaw found on iPhones and Macs has yet to be implemented by Apple. The Vulnerability is found within the browser engine that supports Safari and all browsers on iOS and macOS. 

Introduction/what is the Vulnerability?

A web standard called ‘AudioWorklets’ was introduced in late April in order to optimise how a browser processes audio and to make it possible to achieve more with audio, but without it being resource intensive.

Not long after this was released, security researchers from a company called ‘Theori’ discovered a bug in how this feature was implemented which made it possible for potential unscrupulous individuals to exploit the flaw and run arbitrary code. The flaw can also cause browsers to unexpectedly crash.

Why have Apple been criticised?

The vulnerability was reportedly fixed by a batch of open source developers from ‘WebKit’, but it has been discovered that Apple Safari’s developers have not yet implemented the fix into the next available update for iOS or macOS.

This means that even if you have updated your device to the latest version, it is still not protected from the vulnerability – and thus you could be exposed to a potential hack.

Tim Becker, a researcher at Theori, commented about this on Tuesday the 25th April:

“This bug yet again demonstrates that patch-gapping is a significant danger with open source development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”

What should you do as a business?

For a potential attacker to exploit this flaw they would need to bypass Pointer Authentication Codes – which is an exploit mitigation system that requires a cryptographic signature before code in memory can be executed – but without the signature or bypass, hackers would not actually be able to run the malicious code.

Unfortunately, there is not much a user or business can realistically do until Apple ensure the fix has been implemented and an update is made available to Mac and iPhone users. The generic advice for an issue like this though is:

  • Avoid using the feature or application (in this case, Safari)
  • If you notice any suspicious activity on your phone (such as inappropriate pop-ups, text or calls not made by you, apps or data usage you don’t recognise) you should immediately run anti-malware software and worst case reset your phone to factory settings

Conclusion

Whilst it looks like this particular flaw isn’t something to be overly concerned about at first glance, it could potentially unlock very serious attacks in the future as this is seen as a significant hurdle in taking advantage of other in-the-wild exploits that have plagued both Apple and Android devices. Apple’s slow response and sloppiness in all of this is also something to note as there should be as little time as possible between an exploit being discovered and Apple patching it.

Hopefully this article will help inform you more on the issue at hand – but if you would like more information or require further advice or assistance, please go to our contact us page.