Safari/WebKit WebAssembly vulnerability exploit (wasm)
WebAssembly has been enjoying a buzz in early 2018. The technology has catapulted into the mainstream developer mindset with Golang, Rust and TypeScript as example languages where infrastructure is available for writing Wasm apps.
Support in browsers is also better than ever and it's safe to say WebAssembly has passed critical mass. Way back in 2016 there were experimental implementations in Microsoft Edge, the V8 JavaScript engine and other notable engines. The time of JavaScript's exclusivity is over.
However with great power comes great responsibility. Even with the sandboxing in browsers providing a safety framework inherited from JavaScript, implementing a new runtime is no easy feat. As the Meltdown and Spectre vulnerabilities shown unexpected attack vendors can surface from low level optimizations.
Even without system wide expoits like those from CPU Speculative Execution, access within the browser memoryspace can be a critical vulnerability. This is now been demonstrated in a report from MWR Infosecurity. The research team has found an exploit in the Wasm engine in shipping in the Safari browser.
The the detailed report researchers Alex Plassket, Fabian Beterke and Georgi Geshev go indepth into the vulnerability which they found in the Open Source implementation of the WebKit browser engine that powers Safari on macOS and iOS. The team found the security hole when doing fuzzing of the Wasm binary file forma.
The vulnerability could be exploited by heap memory corruption, but Apple has already fixed the vulnerability in a macOS update (10.13.4). Given the limited adoption of the WebAssembly technology and the strong trackrecord Apple has in users patching their Operating Systems, it is likely that this vulnerability will be widely exploited.
The key takeaway following this exploit that WebAssembly and it's Wasm binary format are no security panacea and that developers should trust what Fox Mulder says: Trust no one.
Tweet