WebKit security flaw on both iOS and macOS still unpatched by Apple despite available fix

News
By published

This kind of patch-gaping could lead to serious security issue, believe security researchers

Privacy
(Image credit: Shutterstock / Valery Brozhinsky)

Apple is yet patch a WebKit vulnerability present in both iOS and macOS despite a fix for the flaw being available for several weeks now, experts have warned.

The vulnerability was first discovered by researchers at cybersecurity startup Theori, who also has a proof-of-concept exploit that takes advantage of the bug. 

According to the Theori team, the issue stems from the AudioWorklet interface of the Web Audio API that allows developers to control, manipulate, render, and output audio

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

A patch for the vulnerability was added to the upstream WebKit code early in May. Strangely however, Theori notes that Apple continues to ship vulnerable iOS updates almost three weeks after the patch was made public.

Patch gaping 

AppleInsider explains that exploiting the flaw could give attackers the building blocks to execute malicious code on devices. 

The process though isn’t straightforward as any exploitation in the real world would still need a way to bypass the Pointer Authentication Codes (PAC), which is a mitigation system that requires a cryptographic signature before code can be executed in memory. 

Irrespective of how complex it is to exploit the bug, the real issue here is Apple’s inaction despite the public availability of a patch. 

Ideally, there should be a minimal amount of time between a public patch and a stable release. In this case though, Apple continues to ship new versions of iOS with the unpatched vulnerable version of WebKit. 

Threat actors are known to take advantage of this patch gaping; the window between fixing a vulnerability and shipping the patch to the users.

“This bug yet again demonstrates that patch-gapping is a significant danger with open source development. Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public,” conclude Theori researchers.

Via AppleInsider

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Apple Siri
Update your Apple device now: iOS 18.3.2 fixes a flaw that could be exploited by hackers
Apple&#039;s new &quot;Share Item Location&quot; feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Asus Vivobook S laptop on yellow background with price cut text overlay

I've looked through hundreds of laptop deals in the Spring sales - this $599 Asus Vivobook has them all beat
See more latest
Most Popular
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora