The vulnerabilities could enable remote attackers to execute arbitrary code on vulnerable systems by convincing a user to visit a malicious website.
WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.
WebKitGTK is one of the browser engines used by various applications on Linux to render web content. It utilizes the WebKit open-source web browser engine combined with GTK+ APIs for integration into GTK+ and GNOME programs. WebKitGTK is used in several popular applications including GNOME Web (formerly Epiphany), Steam, and GNU IceCat, the GNU version of Firefox.
WPE WebKit focuses on embedded devices and is led by Raspberry Pi with contributions from additional partners. Both projects are based on the WebKit open-source browser engine originally developed by Apple for Safari. While Apple maintains the core WebKit codebase, WebKitGTK and WPE WebKit adapt it for integration into Linux and embedded environments.
The issues were reported in WebKitGTK and WPE WebKit Security Advisory WSA-2023-0009 on September 28, 2023. The advisory details six vulnerabilities tracked by the following Common Vulnerabilities and Exposures (CVE) identifiers:
- CVE-2023-39928 - Use-after-free vulnerability in the MediaRecorder API that could lead to memory corruption. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to visit a malicious webpage to trigger this vulnerability. WebKit Bugzilla: 260649.
- CVE-2023-35074 - Memory handling issue that could enable code execution.
- CVE-2023-39434 - Use-after-free vulnerability that could result in code execution.
- CVE-2023-40451 - Improper iframe sandbox enforcement enabling potential code execution.
- CVE-2023-41074 - Lack of input validation checks exposing code execution vulnerability.
- CVE-2023-41993 - Vulnerability allowing code execution in processing web content and has been reported as exploited in the wild.
The vulnerabilities impact WebKitGTK and WPE WebKit versions prior to 2.42.1. If successfully exploited, an attacker could execute arbitrary code with the privileges of the application using the vulnerable WebKitGTK or WPE WebKit engine. This could enable an attacker to fully compromise affected systems.
According to the advisory, Apple has acknowledged that CVE-2023-41993 has been actively exploited, underscoring the urgency of applying updates.
All users of WebKitGTK and WPE WebKit should update to versions 2.42.1 or later immediately to mitigate these vulnerabilities.
The vulnerabilities were responsibly reported by security researchers including Cisco Talos, Abysslab, PK Security, and individuals credited in the advisory. The WebKitGTK and WPE WebKit projects thank the researchers for the discovery and disclosure of these issues.
This news highlights the criticality of patching security vulnerabilities, especially in ubiquitous software components like web browser engines. Organizations using WebKitGTK or WPE WebKit should ensure they deploy updates urgently to protect their systems and users. Proactive vulnerability and patch management are crucial for security.