The Register understands from speaking to web developers opposed to Apple's WebKit policies that a few months ago Apple started showing signs that it intends to invest in WebKit. "Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users." Time to shut the stable door "WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days," wrote Project Zero researcher Ryan Schoen. In Project Zero's recent analysis of zero-day remediation, Apple's average repair time for iOS bugs is more or less the same and Google's average repair time for Android – 70 and 72 days respectively.īut when browser repairs are compared, Apple fares less well. Remote code execution vulnerability in Samba due to macOS interop moduleīased on past data gathered by Google's Project Zero, "in a timely manner" means "not all that quickly.".Critical 'remote escalation' flaw in Android 12 fixed in Feb security patch batch.Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware.Microsoft manages a mere 51 security fixes for February update bundle.In defense of its practices, Apple claims "that as a result of its requirement that all browsers on iOS be based on its own browser engine, WebKit, it is more readily able to fix any privacy and security concerns that arise in a timely manner, and reduce risks for users," as the the UK's Competition and Market Authority recounted in its Januinterim report. "Imagine, if you can, a world where installing an alternative browser as your default actually had a chance of protecting you from Apple's shocking underinvestment in security," he lamented via Twitter. ![]() ![]() The Apple patch is relevant not just to users of Safari, which relies on WebKit, but to users of any iOS browser, because Apple requires that all iOS browsers use WebKit – a situation currently being considered by antitrust regulators in the US and UK.Īlex Russell, a program manager for Microsoft's Edge browser who formerly worked at Google and has long evangelized web technology, echoed past frustration with Apple's insistence that only WebKit is fit for iOS. In September, 2021, threat research group Citizen Lab documented a zero-day flaw called FORCEDENTRY (CVE-2021-30860) that had been used for at least eight months to compromise Apple iOS, macOS and watchOS devices. ![]() Zero-days in Apple software have been used to carry out sophisticated cyberattacks, such as those conducted by authoritarian regimes against members of civil society with the help of NSO Group's Pegasus software. No further details about the vulnerability or potential exploit code have been made available. "Apple is aware of a report that this issue may have been actively exploited."Īpple is aware of a report that this issue may have been actively exploitedĬVE-2022-22620 is a use-after-free flaw that Apple says it fixed by implementing better memory management. "Processing maliciously crafted web content may lead to arbitrary code execution," the company's terse security advisory explains.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |