While the rest of the world relies on Windows operating systems for their browsing requirements with multiple browsers like Firefox, Chrome and Opera, Apple users are quite fond of Safari, an exclusive browser found on iPhones, Macs and other Apple products. Safari is not as popular on the Windows operating system even though it is available to download and use.
The latest update is that Apple platforms, which are known for their exceptional security, have been found to have a loophole. A security researcher has confirmed that he has come across a vulnerability in WebKit, the web browser engine used to power the Safari browser, and such an issue could lead to leaked data—thereby compromising confidential information.
According to the report submitted by the researcher, the regular expressions used by the WebKit has a matching issue which could lead to an arbitrary shellcode being executed on the devices without authorization from the user.
A Quick Resolution from Apple Is Expected
Linus Henze was the researcher behind the exploit, which was released on GitHub. He also created the fix for this mismatch issue and updated it in the source code of the WebKit.
However, Apple is yet to roll it out to all users as a security update so that they could use Safari without any issues.
In Apple’s defense, the company has been delaying the update because the fix only works for the desktop version of the browser and not on the mobile platform. It will still exist on iPhone, iPads and any other mobile devices. The company’s engineers are looking to create a WebKit that acts as a complete package for all platforms and roll it out to protect their users.
The issue exists in all iOS 12 updates done for Safari on mobile platforms while MacOS is affected on all versions above 10.14.
Henze, in his statement, further confirmed that he wanted to make users aware of the problem so that a fix could be initiated at the earliest possible time.
Vulnerability Confirmed By Multiple Experts
The security vulnerability found in Apple’s operating systems triggered interest from different corners. After Henze made it public, another researcher, Will Dormann, got on board to check the authenticity of the problem. He was unable to create the bug, but managed to do it later on with some guidance.
The researcher who exposed this exploit also added that the way to achieve this bug and get access into the browser is very similar to another bug demonstrated during the 2018 Pwn2Own contest.
Most vulnerabilities give access to hackers, allowing them to execute codes remotely, run programs and even download malware automatically because Safari or any other browser for that matter do have access to automatic downloads. It may lead to a lot of issues, but there is some respite for users. The researcher suggests that Safari has a built-in security system which uses the same-origin policy that restricts files and other programs from different origins to work together to achieve combined results.
Bypassing Safari’s Security System Could Lead to Security Issues
Apple Safari browser, at the time of vulnerability, would allow a hacker to access everything the browser is authorized to. While it does have the same-origin policy to protect multiple programs from communicating with one another, the attacker can bypass it. Besides, the shellcode can also overlook any limitations set on Safari once it is executed and gain access to confidential information stored in the MacOS and iOS.
Apple should consider releasing a fix for it as soon as possible, say the researchers. While Google Chrome uses a similar V8 engine, the browser makes use of the latest version of the WebKit, which makes it invulnerable to any such attacks and bug issues. Apple’s Safari, on the other hand, has not been updated quickly, which led to this situation.
The company focuses on ensuring stability and reliability for their users by keeping updates at timely intervals, but it may also lead to shortcomings when such vulnerabilities are identified.