back to article Apple emits emergency fix for exploited-in-the-wild WebKit vulnerability

Apple on Thursday patched a zero-day security vulnerability in its WebKit browser engine, issuing updates for iOS, iPadOS, and macOS. Its Safari browser, based on WebKit, received the security update separately for instances where it is being used with an older version of macOS, like Big Sur. Apple's tvOS was also refreshed, …

  1. Anonymous Coward
    Facepalm

    Late Gate

    Once again, the walled garden is closing the gate after the horse has already left the barn.

    Apple needs to reassess their 'my way or the highway- not so much in terms of Internet Explorer but in terms of Blackberry which died forever this week. It, too, was once the dominant mobile ecosystem, phone and OS and browser.

    1. badflorist Silver badge

      Re: Late Gate

      I think they need to reassess everything. They do seem to have a somewhat better road map for user privacy, but that's seemingly only from social media, or at least definitely NOT web browsing. Keeping these vulnerabilities hush-hush like nobody else will find them is clearly not a great sign of confidence (just close your eyes and pretend it never happened nor will again...?).

      Years ago on a site called "Astalavista" (a hack/crack site) someone mentioned in an interview why they chose to hack/exploit Windows 95 and they stated because Windows was always being mentioned in hacker news. So, not because it was hackable or that the hacker new the security was weak, but simply because "Windows" kept poping up in the news.

    2. Tessier-Ashpool

      Re: Late Gate

      The first I knew about this particular vulnerability was the day that the fix became available. Like most onlookers. Even then, the actual mechanics of the vulnerability were not announced, making life difficult for would-be miscreants.

      I’d like to know the kind of world (in the absence of a functioning time machine) you imagine where a fix for a zero-day vulnerability is released ahead of its discovery and announcement.

      1. PM.

        Re: Late Gate

        But then, Apple admitted that it saw signs this flaw was being already exploited in the wild.

        You didn't know about it, but "bad guys" already did ...

        1. Tessier-Ashpool

          Re: Late Gate

          Since you know so much, exactly when did the bad guys find and exploit this vulnerability, and how long did it take Apple to address it? Do not forget to mention "stable door" in your answer.

  2. David 132 Silver badge
    Happy

    I love this quote from the Microsoft Edge rep...

    Alex Russell, a program manager for Microsoft's Edge browser who formerly worked at Google and has long evangelized web technology, echoed past frustration with Apple's insistence that only WebKit is fit for iOS.

    "Imagine, if you can, a world where installing an alternative browser as your default actually had a chance of protecting you from Apple's shocking underinvestment in security," he lamented via Twitter.

    I almost spat out my drink at this point.

    Yes, Apple has brought this on themselves and I'm not excusing them.

    But imagine, if you can Alex Russell, a world where installing an alternative browser as your default didn't result in you getting bombarded with pleas/warnings to keep using the OS vendor's own browser. Cos apparently neither Google nor Microsoft want to.

    Bah. A pox on all their houses.

    1. Paul Crawford Silver badge
      Facepalm

      Re: I love this quote from the Microsoft Edge rep...

      Yes MS, and imagine a world where all browsers are based on Chrome

      Oh, we are almost there :(

      1. PriorKnowledge
        Devil

        Even worse…

        Imagine a world where every “app” bundles its own private copy of Chromium and gobbles all your RAM as a result. That is the reality on Windows right now. Given how lazy many developers are these days, it is no wonder Apple wants to mandate the reuse of platform-managed code as much as possible. Microsoft needs to start encouraging folks who would otherwise bundle Chromium to use WebView2 instead if they want to fix the mess.

        Google seized the perfect opportunity to fork WebKit and run off with the community around 2014, and as a result, everything and everyone moved to using the Chromium codebase. This turned out to be both good and bad.

        The good side is we now have a browser which works consistently across operating systems, which deliberately ships without plug-in support. mandating open standards. It is also licensed in a way which guarantees we have access to the source code of the whole browser. The bad side is that said browser is an integrated, interdependent whole, which leaves non-agile operating systems like Playstation/Nintendo OSes and RHEL/Debian Linux with no way to maintain central, stable updates. With that said, many WebKit ports historically sucked for security support anyway, especially GTK and Qt, which were graced with hundreds of CVEs per year which took forever to get fixed on actual end-user systems. This is even more evident with Playstation jailbreaks all being based on exploiting unpatched WebKit flaws.

        One might think Apple should just give in and adopt Chromium themselves, but WebKit2 is the only viable competitor nowadays and it is used all over iOS for things like Mail, Music and various web views baked into third party apps like Spotify and Netflix. I would rather Apple continues to mandate it but then pours a bunch of time and investment into it so that we all have some diversity in terms of browser engines. Plus, you never know, Microsoft could jump ship one day in the name of native performance, as Chromium will always be tied to abstraction layers like Skia…

        1. big_D Silver badge

          Re: Even worse…

          And Microsoft are a big offender in this respect. Their Teams uses Electron (currently), even though they have access to tools to make native applications, which are provided by, erm, let me think... Oh, yes, from Microsoft!

          They even have a cross-platform application development system, .Net, which they could use.

          But, no, Teams uses the Electron bloatfest. It brings my Core i5 laptop to its knees when in a 5 way conference. It had gobbled up all the RAM and I had to quit Firefox, Outlook, Excel and RDP in order to have a fluid video conference that wasn't constantly hickcoughing and dropping the sound.

      2. bombastic bob Silver badge
        Mushroom

        Re: I love this quote from the Microsoft Edge rep...

        or imagine a world where ALL INTERFACES ARE 2D FLATASS FLATSO FLATTY McFLATFACE

        Not on MY workstation, but yeah...

        (they may not be BASED on Chrome, but they sure LOOK like it)

    2. LDS Silver badge

      "getting bombarded with pleas/warnings to keep using the vendor's own browser"

      You mean how Chrome got on most PCs?

      Still it's years I'm using Firefox and Windows never blocked it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "getting bombarded with pleas/warnings to keep using the vendor's own browser"

        Aim your time machine 10, maybe 15 years further back.

  3. amanfromMars 1 Silver badge

    A Problem for All Systems Browsers Prone to Probes from/for Underground Resistance Movements*

    Processing maliciously crafted web content is one thing, trying to suppress and deny the remote universal activation and local ACTivity of meticulously crafted web content processes delivering change and offering more than just endless vain hope is quite another, and totally different.

    To confuse the one for the other is difficult and malicious and borne of wilful and ignorant malevolent intent which creates for itself an almighty enemy against which one experiences serial catastrophic existential defeats.

    * Heavenly Overload Transport/Virtual TelePortation

    Further deeper analysis of that which some may propose and label as maliciously crafted web content is all that is needed to reveal the true nature of anything meticulously crafted to offer priceless change.

    Don’t be a Maniacal Suicidal Fools' Tool with Thoughts Implanted to Rage and to Wage War against anything even remotely like anything like that, for one’s fate and destiny is then sealed as surely and as accurately as theirs is described ..... Self-Destructive Manic Death.

    1. Lord Elpuss Silver badge

      Re: A Problem for All Systems Browsers Prone to Probes from/for Underground Resistance Movements*

      Your ramblings were entertaining for a while, now it's just annoying.

      1. amanfromMars 1 Silver badge

        Beware and Be Aware there are Many with Epic Mental Health Problems. Take Care Out There

        Your ramblings were entertaining for a while, now it's just annoying.

        Jake may be an objectionable know-it-all, but does generally seem to talk sense. amanfromMars1 used to be entertaining if incomprehensible; now it's just annoying rubbish. .... Lord Elpuss

        Is that you getting down and dirty and resorting to Ad hominem assaults on the bearer of matters you admit you used to find incomprehensible rambling entertainment but now much more so, annoying rubbish.

        Unfortunately the only help that can be offered you, M'Lud, and it is a cold comfort indeed, is advice to steer well clear of matters you can clearly, freely respond to but which you don't understand and which annoy you.

        Is it a case of the former delivering the latter ...... your not understanding matters causing that which you see and your brain processes to be labelled and shared as annoying rubbish?

  4. -tim
    Facepalm

    Only some are patched

    More than 5% of the macs that hit my web sites are versions that are old enough that they will never be patched and they cluster around the last supported versions for hardware that appears to be fully functional except for their stock browser is full of holes. A team of 5 people in apple could keep these older machines running securely. Apple hardware seems to keep getting handed down to others when new machines are bought. We still see PPC based macs. Most countries have laws that require major appliances to be supported for at least a decade and it is time those laws were enforced with the vastly more expensive computers particularly with the total lack of hardship it would cause Apple.

    1. Anonymous Coward
      Anonymous Coward

      Re: Only some are patched

      PPC macs were discontinued in 2005. That's longer than Windows XP has been obsolete... Even if you could get OS updates, there are no software updates any more.

      1. Anonymous Coward
        Anonymous Coward

        Re: Only some are patched

        Do you know when the last iTunes update was for the PPC based mac? It wasn't that long ago so it isn't as unsupported as you claim. There are still plenty of them on the net and last Safari on them works with most web sites once you delete all the obsolete system keys and install the new ones. An update to the timezone files is also helpful. Once that is done, email, calendar, word, excel and web surfing all works fine on the things. If the thing was open source, there would be a bunch more that aren't in landfills. Until recently a modern version of firefox was even supported for more secure web browsing of sites with stupid javascript.

    2. PriorKnowledge

      Apple provides a very long support lifecycle

      These days they provide security patches for a minimum of 7 years after sales of a model are discontinued, with a clear indication of this on their website. For many day 1 purchasers, that means they have a decade of security support. For reference, 2012 Mac Minis are still receiving security patches for the whole stack and will do until a couple of months after the successor to macOS Monterey is released. By comparison, my HP desktop didn’t even reach the 5 year mark before HP decided not to patch serious Intel Management Engine flaws which basically amount to a backdoor, despite upstream fixes being available. It isn’t a cheap unit either.

      Sure, I can run Windows 11 on this machine (it has UEFI and TPM 2.0) and potentially receive OS patches on a 2015 PC until 2035, but that’s meaningless when the vendor won’t fix UEFI bugs and other serious low-level hardware issues. I actually can’t restart my PC without turning it off and on again, as on reboot, the machine will not go beyond the boot loader. A patch from HP would fix that (it’s a UEFI bug with M.2 SSDs) but they don’t care as this PC is already end of life in their eyes. Most PC vendors are the same and the situation is often even worse with enthusiast-grade parts on custom builds.

      In terms of the cost to Apple to provide fixes for longer… maintenance of Intel Macs is dependent upon Intel and other hardware manufacturers, not Apple. Apple’s policy is to look after the whole stack and stop patching devices once upstream stops providing support for any of the components. Folks who want patches for the browser and OS for longer can still have them, they just need to use unofficial (dosdude) downloads to get them, much like how I can use Windows 11 despite not being offered it as an upgrade.

      1. big_D Silver badge

        Re: Apple provides a very long support lifecycle

        It really depends, which Apple device you buy.

        I was unlucky, I bought a first generation Intel iMac 24" in 2007. That stopped getting OS X upgrades with Lion (2011) and the last security update was in October 2012 - almost exactly 5 years. (The problem was that the first Intel Macs used a 64-bit processor, but only 32-bit UEFI, after a couple of years, Apple dropped support for 32-bit UEFI and went all 64-bit, leaving those early adopter hanging in the wind.)

        One of the reasons I bought the iMac was Mac using friends telling me that Apple supported their devices for longer than Microsoft did. I have used Macs on and off at work since 1987, but the Intel iMac 24" was the first one I actually owned. They had always been too expensive, but with a lecturer's discount, the first Intel iMacs were actually competitively priced, compared to an equivalent Windows PC + 24" display at the time. When I came to replace it, the cost of a 24" display had sunk by 70%, the price of the iMac had increased...

        The irony is, the BootCamp site was using Windows 7, which would have continued support until 2020, if the logic board hadn't crapped its pants in 2016.

        That put me off buying another Mac for a long time - although I did get a Mac mini M1 at the end of last year... We shall see.

        At the moment, I have a 2010 Sony Vaio laptop, running Mint, a 2017 Ryzen 1700 desktop running SUSE, a 2016 HP Spectre x360 running Windows 10, a handful of Raspis and an M1 Mac mini.

    3. Lord Elpuss Silver badge

      Re: Only some are patched

      1. 5% users is in the "not economically viable to support" bracket.

      2. A team of 5 people is nowhere near enough to keep these older systems *securely* supported.

      3. Apple fully supports (HW/FW/OS/Security) systems back to 2012 (a decade), and for security even longer. So... ¯\_(ツ)_/¯.

      4. '...total lack of hardship' - see (2), plus it's not just the immediate costs; there are far higher hidden costs associated with supporting very old hardware.

      1. gnasher729 Silver badge

        Re: Only some are patched

        That team of five to support 5% ancient Macs would be more effective if they helped protecting the 95% non-ancient Macs. And consider that these five are either among the most experienced developers that Apple has, or they are newbies who have no experience with these old machines whatsoever.

  5. W.S.Gosset Silver badge

    Thomas!

    You didn't say whether or not Apple had responded to ElReg's request for comment!

    Now we'll never know.

    1. David 132 Silver badge
      Joke

      Re: Thomas!

      Completely and utterly unrelated to the article, but your comment did remind me of something. In the obituaries of Barry Cryer last month, several newspapers quoted his last-ever joke:

      A man and his wife are out walking one day when they spot a lone fellow on the other side of the road.

      “That looks like the Archbishop of Canterbury over there,” says the woman. “Go and see if it is.”

      The husband crosses the road and asks the man if he is indeed the Archbishop of Canterbury.

      “F— off,” says the man.

      The husband crosses back to his wife, who asks, “What did he say? Is he the Archbishop of Canterbury?”

      “He told me to f— off,” says the husband.

      “Oh no,” replies the wife, “Now we’ll never know.”

      1. W.S.Gosset Silver badge

        Re: Thomas!

        That started the worst and became the best way to discover Barry Cryer has died. Thank you.

        This observation of his --in that tone/rhythm of voice of his-- always leaps to mind when I hear his name, being incisive on the futility of people trying to develop theories re comedy:

        "Analysing a joke is like dissecting a frog.

        Nobody laughs, and the frog dies."

        1. David 132 Silver badge

          Re: Thomas!

          Indeed.

          (Not sure why you’ve been downvoted. ‘Twasn’t me.)

          1. amanfromMars 1 Silver badge

            Re: Thomas!

            (Not sure why you’ve been downvoted. ‘Twasn’t me.) ...... David 132

            A downvote without accompanying explanation is just a dumb mal-adjusted algorithm exercising itself with sub-prime play, David 132 ..... so not anything real to be worried about being effective and instrumental.

            1. I ain't Spartacus Gold badge
              Happy

              Re: Thomas!

              A downvote without accompanying explanation is just a dumb mal-adjusted algorithm exercising itself with sub-prime play

              amanfromMars and jake are the same person, and I claim my £5.

              Or he's been hacked, as he's almost been starting to make sense recently.

              1. Lord Elpuss Silver badge

                Re: Thomas!

                "amanfromMars and jake are the same person, and I claim my £5."

                Jake may be an objectionable know-it-all, but does generally seem to talk sense. amanfromMars1 used to be entertaining if incomprehensible; now it's just annoying rubbish.

      2. JimboSmith Silver badge

        Re: Thomas!

        Archbishop of Canterbury…….If you’ve seen Four Weddings and a Funeral you may have missed a future Archbishop whilst watching it. It’s in the wedding involving Bernard & Lydia which the delightful Roman Atkinson presides over. There are two priests in the scene, and as well as Rowan Atkinson there’s also a certain Rowan Williams who later went on to become……..the Archbishop of Canterbury.

  6. T. F. M. Reader Silver badge

    Outliers

    The article does not, IMHO, provide all the context for some quotes. I encourage the commentariat to click on the Project Zero link.

    My first reaction: So Apple and Google deal with problems in 70 and 72 days on average, respectively. But for WerbKit the lag is 73 days. I call it "about average", not "an outlier".

    After looking at the Project Zero page: 70 vs. 72 is for mobile phones only. For browsers, Apple's 73 "average days to repair" is a clear outlier (from a sample of 3 vendors). For the rest, the tables are quite interesting, and Apple don't look all that well (not the worst - there is always Microsoft and, well, Oracle...).

    The sampling methodology of Project Zero is not that clear to me, but at least it helped bring my originally raised eyebrow back in its place.

    1. Anonymous Coward
      Anonymous Coward

      Re: Outliers

      Project Zero is part of Google's security team, so I don't think that it is particularly relevant to compare Chromium's patch speed to a third-party company.

      I will say that 30 days is the usual turn-around for security issues (or at least it used to be), so anything taking 72 days is a bit of an eyebrow raiser...

    2. Ace2 Silver badge

      Re: Outliers

      The article is just cut-and-paste paragraphs from all of the author’s recent articles about Apple. I’m not surprised to hear that its analysis is woefully shallow.

  7. Anonymous Coward
    Anonymous Coward

    Hmm...

    On the other hand, the "choice" you have for browsers are Webkit, Chromium and Firefox... and Webkit is a Chromium fork to start with.

    1. Brewster's Angle Grinder Silver badge
      Meh

      Re: Hmm...

      It's the other way around; Google forked part of Webkit to build Blink. Although, prior to starting work on Blink, Google had become the biggest contributor to Webkit.

      Like everybody else, I despair over the winnowing of browser engines. But they are such a huge investment and require such a lot of work. I suspect it's more pride than economic sense that stops Apple doing a Microsoft; I'm sure they could layer their privacy tweaks and architectural adaptions on top of Blink at less cost. (And with Mozilla struggling for cash, it's easy to imagine that in five years we find just wrappers round Blink... *sigh*)

      1. Zolko Silver badge

        Re: Hmm...

        Google forked part of Webkit to build Blink

        and not ONE mention that it all started with Apple forking KDE's khtml renderer for Konquerror to make Safari ?

  8. fg_swe Bronze badge

    Systemic Source: Lack of Memory Safety in C++

    Tme and Again, the lack of Memory Safety in C++ causes exploitable bugs.

    We should get rid of handcoded C an C++.

    http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

    Also see what Sir Tony Hoare has to say on this subject.

    1. Paul Crawford Silver badge

      Re: Systemic Source: Lack of Memory Safety in C++

      Ah yes, the village idiot asked for directions who replied "If I were you, I wouldn't start from here".

      You have some magical way to rewrite, test, and debug all of that code in the latest language-du-jour that is memory safe?

      1. fg_swe Bronze badge

        Questioning Standards

        The "standards" of C and C++ are obviously a huge security problem. You can now play sisyphus and roll the rock up the hill forever - OR - you start to question the root cause.

        Software engineers and programmers need all the safety nets they can get, including Memory Safety.

        Mozilla attempted to reimplement the browser in Rust, but then mysteriousy stopped this effort.

        1. bombastic bob Silver badge
          Trollface

          Re: Questioning Standards

          Mozilla attempted to reimplement the browser in Rust, but then mysteriousy stopped this effort.

          I thought Rust was invented for this VERY PURPOSE...

        2. Charlie Clark Silver badge

          Re: Questioning Standards

          Mozilla attempted to reimplement the browser in Rust, but then mysteriousy stopped this effort.

          This isn't true. Mozilla developed Rust initially for systems work and then implemented some browser features, I think the CSS parser is one example, but not the whole browser and there are no plans to do so.

  9. Eccella

    Most important.

    The update fixes an issue that may cause Braille displays to stop responding. Is this a Webkit issue as well?

  10. Lord Elpuss Silver badge

    "...had a chance of protecting you from Apple's shocking underinvestment in security," he lamented via Twitter."

    ODFO. Anybody who excretes this bollocks clearly has zero idea what they're talking about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like