Clarification on README.md

[ghost]

Hi,

I apologize if I am misreading/misunderstanding but you state in your README.md:

This is an exploit for the latest version of Safari (as of Dec. 6 2018). Fixed in the current WebKit release, therefore I decided to make this public.

1. What exactly do you mean by its fixed in current release of WebKit? Is the WebKit release not pushed out to IOS/Mac OS yet or something? I am not too familiar with the Apple Environment so I apologize. Does IOS update its WebKit version independent of IOS Updates or would there need to be a new version of IOS to fix this?

2. Is the vulnerability only for Safari specifically or for all WebKit based browsers?

3. What WebKit version fixes this?

4. Is there a CVE for this?

Thank you and incredible job on this!

[LinusHenze]

To 1: It's fixed in the master branch of WebKit. Apple has it's own version of WebKit which is usually multiple releases behind the current one and they haven't yet integrated the fix (Apple wants to make sure that the Version they ship is stable, usually the master branch contains many experimental and untested features). If you want Safari with the latest Version of WebKit, you can download Safari Technology Preview, which contains a pretty recent version of WebKit (only available for macOS). WebKit ships as part of iOS and macOS, so a iOS/macOS update is required.

To 2: This is not specific to Safari but to any WebKit based Browser that also uses JavaScriptCore as its JavaScript Engine.

To 3: Version r238267 fixes this.

To 4: I don't think so.

[ghost]

Wow, thats horrifying. Good Find. So I guess for now mitigation would just be to disable JS until its patched.

Any reason why you posted the PoC before Apple was able to patch it? I am sure they are scrambling to fix it right now as once someone is able to repurpose this for IOS (if they haven't already), they will be able to do a lot with it. RCE exploits like this for IOS sell for a lot on the Black Market.

[LinusHenze]

Just wanted to force Apple to patch it. Also, there is a Bugreport on the WebKit bug tracker, so everyone could have made a PoC, still Apple didn't fix it in iOS 12.1.1/macOS 10.14.2 although the report was created on Nov. 15 (and the fix was integrated in WebKit the same day). (Ok, I found out about the bug report after I published this. However, the last time I submitted something to Apple they just silently patched it, that's probably part of the reason why I published the exploit without waiting for Apple to patch it.)

[ghost]

Ah that makes sense. Thats weird that they silently patched it and never gave you a proper response / bug bounty. Well, I guess you have their attention now haha. I looked into it more and it still requires an additional kernel vulnerability to properly jailbreak a device so its not as dangerous as I first suspected. Apple has been having a lot of Kernel CVEs recently though. IOS 12.1.1 fixed like 5 Kernel Vulnerabilities IIRC.

I would be mad too though if I reported a vulnerability and they silently patched it. They have been criticized a lot recently for their bug bounty programs so its not anything new.

[LinusHenze]

I'm closing this issue. If you have any questions, feel free to reopen it.