React, Flux, GraphQL, Hack, HHVM...? All of this and more!
WebAssembly has been enjoying a buzz in early 2018. The technology has catapulted into the mainstream developer mindset with Golang, Rust and TypeScript as example languages where infrastructure is available for writing Wasm apps.
Even without system wide expoits like those from CPU Speculative Execution, access within the browser memoryspace can be a critical vulnerability. This is now been demonstrated in a report from MWR Infosecurity. The research team has found an exploit in the Wasm engine in shipping in the Safari browser.
The the detailed report researchers Alex Plassket, Fabian Beterke and Georgi Geshev go indepth into the vulnerability which they found in the Open Source implementation of the WebKit browser engine that powers Safari on macOS and iOS. The team found the security hole when doing fuzzing of the Wasm binary file forma.
The vulnerability could be exploited by heap memory corruption, but Apple has already fixed the vulnerability in a macOS update (10.13.4). Given the limited adoption of the WebAssembly technology and the strong trackrecord Apple has in users patching their Operating Systems, it is likely that this vulnerability will be widely exploited.
The key takeaway following this exploit that WebAssembly and it's Wasm binary format are no security panacea and that developers should trust what Fox Mulder says: Trust no one.Tweet