Why is Open Source WebKit the Weak Link in Apple Security?
From the 'Update or be Pwned' files:
About a month before the recent HP mobile pwn2own event, I told the event organizers that is extremely likely that the mobile vulns they find will be WebKit related.
As it turns it out I was right and I'm not surprised.
The iPHone 4S was hacked by way of a WebKit vuln and I strongly suspect the NFC attack on the Samsung Galaxy had a WebKit component too. WebKit vulnerability fixes also rank highly (by my count over 50 percent) for all security fixes made in the recent Apple iOS 6 update.
WebKit vulnerabilities also accounted for over 100 flaws fixed in Apple's latest iTunes update.
Google, to its credit, has been very aggressive patching WebKit vulnerabilities often and regularly. A good number of those vulnerabilities seem to be found in any given month by Google's own open source Address Sanitizertechnology that can help identify potential use-after-free type memory conditions.
Apple does fix WebKit vulnerabilities too – though it seems to consistency be slower at doing so than Google. Apple also seems slower at fixing WebKit vulnerabilities on mobile/iOS than on the desktop, (think Safari).
To be fair, updating WebKit isn't as easy for Apple on iOS as it might be on the Mac. Sure, Apple could *simply* update Safari whenever new WebKit issues arise, but the reality is that WebKit's usage extends beyond the browser and is an integral part of iOS itself in a different way than WebKit on Mac OS X. Simply put, it's not just about the browser.
That said, time and again – if a security researcher is looking for a path to exploitation on iOS, they need to look no further than WebKit. Just look for a vuln that has been patched in Chrome, see that it hasn't been patched in iOS and then get 'cracking' on what you want to do.
Yes, I know, that the fact that a WebKit vulnerability exists, doesn't necessarily mean that it is exploitable or that an attacker can actually weaponize such an exploit either. But it is a starting point…..
Sean Michael Kerner is a senior editor at eSecurity Planet andInternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.