Why is Open Source WebKit the Weak Link in Apple Security? | Internet News
News
SHARE
Facebook X Pinterest WhatsApp

Why is Open Source WebKit the Weak Link in Apple Security?

Written By
Sean Michael Kerner
Sean Michael Kerner
Sep 24, 2012
2 minute read

WebKitFrom the ‘Update or be Pwned’ files:

About a month before the recent HP mobile pwn2own event, I told the event organizers that is extremely likely that the mobile vulns they find will be WebKit related.

As it turns it out I was right and I’m not surprised.

The iPHone 4S was hacked by way of a WebKit vuln and I strongly suspect the NFC attack on the Samsung Galaxy had a WebKit component too. WebKit vulnerability fixes also rank highly (by my count over 50 percent) for all security fixes made in the recent Apple iOS 6 update.

WebKit vulnerabilities also accounted for over 100 flaws fixed in Apple’s latest iTunes update.

Google, to its credit, has been very aggressive patching WebKit vulnerabilities often and regularly. A good number of those vulnerabilities seem to be found in any given month by Google’s own open source Address Sanitizertechnology that can help identify potential use-after-free type memory conditions.

Apple does fix WebKit vulnerabilities too – though it seems to consistency be slower at doing so than Google. Apple also seems slower at fixing WebKit vulnerabilities on mobile/iOS than on the desktop, (think Safari).

To be fair, updating WebKit isn’t as easy for Apple on iOS as it might be on the Mac. Sure, Apple could *simply* update Safari whenever new WebKit issues arise, but the reality is that WebKit’s usage extends beyond the browser and is an integral part of iOS itself in a different way than WebKit on Mac OS X. Simply put, it’s not just about the browser.

That said, time and again – if a security researcher is looking for a path to exploitation on iOS, they need to look no further than WebKit. Just look for a vuln that has been patched in Chrome, see that it hasn’t been patched in iOS and then get ‘cracking’ on what you want to do.

Yes, I know, that the fact that a WebKit vulnerability exists, doesn’t necessarily mean that it is exploitable or that an attacker can actually weaponize such an exploit either. But it is a starting point…..

Sean Michael Kerner is a senior editor at eSecurity Planet andInternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.
Sean Michael Kerner
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information