Enlarge (credit: Getty Images)
Apple has yet to patch a security bug found in iPhones and Macs despite the availability of a fix almost three weeks ago, a researcher said.
The vulnerability resides in WebKit, the browser engine that powers Safari and all browsers that run on iOS. When it was fixed almost three weeks ago by open source developers outside of Apple, the release notes said that the bug caused Safari to crash. In fact, a researcher from security firm Theori said the flaw is exploitable, and despite the availability of a fix, it still hasn’t made its way into either iOS or macOS.
Mind the gap
“This bug yet again demonstrates that patch-gapping is a significant danger with open source development,” Theori researcher Tim Becker wrote in a post published Tuesday. “Ideally, the window of time between a public patch and a stable release is as small as possible. In this case, a newly released version of iOS remains vulnerable weeks after the patch was public.”
Read 9 remaining paragraphs | Comments
source https://arstechnica.com/?p=1767876