These ports get frequent security updates from Apple to plug vulnerabilities, which users receive via regular updates. If you use Safari, you’re using the Mac or iOS port. The only one that matters for Linux users is QtWebKit. There are some downstream ports as well unlike the aforementioned ports, downstream ports are, well, downstream, and not part of the WebKit project. This is why two WebKit-based browsers, say, Safari and Epiphany (GNOME Web), can display the same page slightly differently: they’re using different WebKit ports.Ĭurrently, the WebKit project consists of six different ports: one for Mac, one for iOS, two for Windows (Apple Windows and WinCairo), and two for Linux (WebKitGTK+ and WebKitEFL). Different “ports” run different platform-specific code. While most code in WebKit is cross-platform, there’s a large amount of platform-specific code as well, to improve the user and developer experience in different environments. To understand WebKit security, you have to understand the concept of WebKit ports, because different ports handle security updates differently. (Another reason is that images hosted remotely can be used to determine when you read the email, violating your privacy.) WebKit Ports This is one reason why good email clients block all images by default: image rendering, like HTML rendering, is full of security vulnerabilities. Modern email clients render HTML mail using web engines, so malicious emails exploit many of the same vulnerabilities that a malicious web page might. It also explains how a malicious email can gain control of your computer. This is why it’s not a good idea to browse to dodgy web pages. Firefox does not have a sandbox due to major architectural limitations (which Mozilla is working on).įor this blog post, it’s enough to know that attackers use crafted input to exploit vulnerabilities to gain control of your computer. WebKit does have a Linux sandbox, but it’s not any good, so it’s (rightly) disabled by default. This makes it dramatically more difficult to exploit vulnerabilities. If the web engine is sandboxed, then a second type of attack, called a sandbox escape, is needed. ![]() They can then install malware, read all the files in your home directory, use your computer in a botnet to attack websites, and do basically whatever they want with it. The details don’t matter what’s important is that skilled attackers can turn these vulnerabilities into exploits, using carefully-crafted HTML to gain total control of your user account on your computer (or your phone). Web engines are full of security vulnerabilities, like buffer overflows and use-after-frees. The opinions expressed in this post are my own, not my employer’s, and not the WebKit project’s.It is safe to use so long as you apply the updates. WebKitGTK+ releases regular security updates upstream.Apple products receive regular security updates. This post does not apply to WebKit as used in Apple products.I want to be crystal clear about these points: This is the story of how that process has gone wrong for WebKit.īefore we get started, a few disclaimers. Apple fixed over 100 vulnerabilities in WebKit last year, so getting updates out to users is critical. But Linux users are dependent on their distributions to release updates. Major desktop browsers push automatic security updates directly to users on a regular basis, so most users don’t have to worry about security updates. ![]() ![]() Please see the CONTRIBUTING doc before raising new bugs, features and especially PRs.Linux distributions have a problem with WebKit security.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |