SecureMac, Inc.

Checklist 229: Zero-Days and WebKit with August Trometer

May 7, 2021

0-days, WebKit, and Apple’s intentional vagueness. We discuss this week’s updates (and what they mean) with August Trometer.

Checklist 229: Zero-Days and WebKit with August Trometer

A week after a slew of updates from Apple, we received … a smaller slew of updates from Apple. August Trometer joins us to discuss:

What are 0-days, anyway?

At the end of April, Apple released updates for all of its operating systems. Then just this week, the company released another round of updates — this time patching a couple of 0-day bugs in WebKit.

Former Checklist co-host August Trometer joined us on the podcast to explain what’s going on — and to help us understand the language in Apple’s security update notes.

Let’s begin with some definitions. The term “0-day” refers to a vulnerability that makes it out into the real world … but without the developers knowing about it. The expression refers to the fact that developers have no time (“zero days”) to fix the problem once they become aware of it.

0-days are very serious, because the bad guys can exploit them to do all sorts of nasty things. Even worse, until the developers are able to release a security patch, there’s really no defense against a 0-day.

We mentioned that the two 0-days patched by Apple this week affected WebKit. So … what, exactly, is WebKit?

Very simply, WebKit is an open-source web browser engine initially developed by Apple. These days, WebKit (or some fork of WebKit) is used by many different companies in their software, including such big names as Google, Microsoft, and Sony.

On Apple’s platforms, WebKit is everywhere — not just in Safari, but also in Mail, the App Store, and many different apps as well. So when Apple released its updates last week, the patches covered:

  • Safari 14.1
  • macOS Big Sur 11.3.1
  • iOS 14.5.1 and iPadOS 14.5.1
  • iOS 12.5.3
  • watchOS 7.4.1

Needless to say, if you have an Apple product that can run any of those versions, you should update right away!

Of corruption and overflows

So that explains what 0-days and WebKit are, but what about the actual vulnerabilities that caused all of the concern?

Apple describes the first of the bugs as a “memory corruption issue” that was addressed with “improved state management”. August broke it down for us this way:

Memory corruption bugs allow hackers to replace code in memory on your device with malicious code. That might let a hacker access information on your device, wipe it clean, hold it for ransom, and all kinds of other things.

The fix for this, “improving state management”, refers to the OS-level protections that monitor memory and check code to make sure that it hasn’t been tampered with.

The second 0-day was an “integer overflow” that was fixed with “improved input validation”. August says that this issue is similar to the first one, but that it takes advantage of a different vulnerability:

Any time you hear the word “overflow” in relation to computers, it means that a section of memory has been given “too much” to remember — and so it starts using other parts of memory. This allows the hacker to run their code, which can do lots of really bad stuff.

This week’s updates go back beyond current OSes to even older ones. However, August tells us that this doesn’t necessarily mean the vulnerabilities are being widely exploited. It could simply be the case that the 0-days have been around for a while … but that Apple is only now finding out about them. If that’s what’s going on, then Apple’s goal at this point would be to get updates out to everyone who could be affected.

Reading between the lines

In its security release notes, Apple says that it is “aware of a report that this issue may have been actively exploited”. To some of us, that probably sounds a little bit vague … maybe even intentionally so. And that raises some questions. How should we read this kind of carefully worded statement from Apple? Is it basically a confirmation that the bugs are being exploited? August thinks so:

I would definitely read it as “at least one bad actor out there is doing this”. One thing that they don’t say is where it’s being used, or on what device. So it might be an Apple device, but it might be a Windows device. It could be a lot of different devices, but Apple getting these patches out there protects its own users.

So why doesn’t Apple say where the bugs are being exploited? August speculates that part of the reason may be to protect developers who use WebKit in their products. If Apple said, for example, that a WebKit bug had been exploited on PlayStation systems, it would unnecessarily single out Sony (which wouldn’t really be fair to Sony anyway, since it was a WebKit bug that caused the issue in the first place!). In addition, being overly specific in security release notes could cause users of currently unaffected systems to ignore the update — even though they’re at risk too.

In short, Apple wants everyone to update when they release a patch like this … and so do we, which is why we recommend that all users turn on automatic updates!

If you have a question or a topic that you’d like to see addressed on a future Checklist, please write to us and let us know. To learn more about digital security and privacy, check out our show archives, where you’ll find audio and complete notes for every episode we’ve ever done.

Get the latest security news and deals