Two Apple zero-day vulnerabilities affecting Apple's own WebKit browser engine were disclosed and patched Thursday. The fixes come just as Apple says it's aware of the flaws being exploited on devices running on iOS versions prior to iOS 16.7.1 (released on Oct. 10, 2023). Apple patches are in iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2 and Safari 17.1.2 updates.
WebKit is an open source browser engine developed by Apple and is used by a bevy of Apple products including Safari, Mail, App Store, and other apps on macOS, iOS, and Linux. Additionally, a large number of third-party web browsers, available via Apple’s App Store, also use the WebKit browser engine.
WebKit bugs may leak sensitive data, execute malicious code
The two vulnerabilities, tracked as CVE-2023-42916 and CVE-2023-42917, open devices up to attacks that allow adversaries to access sensitive information on targeted Apple devices.
The first bug (CVE-2023-42916) is related to an out-of-bound read flaw that could disclose sensitive information while processing web content. Apple says a patch addresses this flaw by improving input validation.
The second bug can lead to arbitrary code execution (ACE) due to a memory corruption vulnerability. The security updates provide improved "locking" to prevent the use of ACE exploits, Apple said.
Both flaws were reported to Apple by Security Engineer Clément Lecigne of Google’s Threat Analysis Group (TAG). Apple states it is “aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.”
Apple is mum on the technical specifics of the vulnerability or the blast radius of the attacks.
Google and Apple zero-days are unrelated
Lecigne, along with Google TAG colleague Benoît Sevens, also discovered an actively exploited Google Chrome zero-day on Nov. 24 that was patched on Nov. 28, involving an integer overflow flaw in Chrome’s 2D graphics library Skia. However, while Google’s Chrome browser app for Apple devices uses the WebKit engine, the Skia bug appears to impact desktop implementations of Chrome and browsers using the Chromium engine.
A Google representative confirmed to SC Media that the WebKit and Skia exploits are not related and not from the same TAG investigation.
WebKit zero-days fodder for anti-competition concerns
The United Kingdom’s Competition and Markets Authority (CMA) won its case against Apple in the Court of Appeal in London on Thursday in a decision that will allow it to continue its investigation into Apple’s restrictions on third-party mobile browser developers.
CMA outlined issues it plans to cover in its “Mobile browsers and cloud gaming market investigation” on Dec. 13, 2022 following a prior market study it conducted in 2021.
According to the issues statement, “The Market Study found evidence that the quality of all browsers on Apple devices is limited by the slower pace of development of WebKit, that web developers have cancelled features due to lack of support by WebKit, and that businesses bear higher costs from having to rely on native apps compared to web apps, and from working with bugs and glitches that are inherent in WebKit.”
Apple says it offers "best in class" security
In response to the CMA’s statement of issues, Apple argued that its WebKit engine ensures “best in class” security and privacy for its device users.
“WebKit’s integration with iOS is a key pillar underlying this, as it allows WebKit to utilize a number of effective security processes,” Apple wrote in its January 2022 response letter (PDF), which cites “the ability to ship security updates for WebKit in a single, uniform approach that minimizes security vulnerabilities and prevents a long tail of unpatched apps” as one of the benefits of its App Store restrictions.
Open Web Advocacy, an advocacy group of software engineers from around the world, lists ending the “Apple browser ban” as its top priority, stating the restriction “has stalled innovation for the past 10 years and prevented Web Apps from taking off on mobile.”
Alex Russell, a Microsoft partner product manager on the Edge browser and an owner of the Chromium Blink API, sounded off on the browser ban in light of the two new zero-days disclosed on Thursday.
“Why does this matter? In part, because the forced iOS browser monoculture is *terrible* for users who can't get access to safer, better-funded browser engines, or engines built with safer technology (e.g., Gecko),” Russell wrote on Mastodon.