Attackers interested in getting the most bang for their buck focus on ubiquitous software. Microsoft’s Office, Adobe’s Acrobat and Oracle’s Java have all become popular platforms exploited by cybercriminals intent on compromising end users’ systems. Another platform has quietly made its way onto many systems and become the focus of security researchers, if not cybercriminals: Webkit.
The open-source HTML rendering engine has a significant share of the PC and Mac markets because of its inclusion into Google’s Chrome and Apple’s Safari browsers. Yet, the software is far more popular than its browser share would indicate: A host of other applications — such as Yahoo! Messenger, MSN Messenger, iTunes, and even RealPlayer — use Webkit to render rich text formatting and interactive content. Add to that more than a half billion smartphones that have browsers based on Webkit, and cybercriminals have a widespread population to attack.
“WebKit should be definitely considered a natural focus for security researchers and pretty much anyone else interested in vulnerabilities,” says Vincenzo Iozzo, an independent security researcher who used a Webkit vulnerability to compromise a BlackBerry smartphone at the annual Pwn2Own competition in March.
A report by Hewlett-Packard released last October confirms the trend as well, putting Webkit and Safari vulnerabilities, which it lumped together, on a similar trajectory as Adobe Flash vulnerabilities.
The ubiquity of Webkit can also be seen in the results of the Pwn2Own competition. The Safari browser and BlackBerry both fell because of flaws in Webkit. Even Google’s Chrome, which was not targeted in the competition, could have been exploited through the same Webkit flaw as the BlackBerry smartphone. The only two compromises not enabled by Webkit were the successful attacks on Microsoft’s Internet Explorer 8 and Apple’s iPhone 4 — the latter did focus on the Webkit-based MobileSafari browser, but didn’t involve Webkit, says security consultant Charlie Miller, who conducted the attack.
Vulnerabilities in Webkit are exacerbated by a common problem with common code libraries: Not all developers patch their code quickly. This week, for example, Linux distribution Ubuntu patched a flaw — CVE-2010-1824— in Webkit a year after the issue was fixed in the software’s source tree. Google fixed the issue in Chrome last year, SuSE Linux in January 2011 and Apple in March. Smartphones can take even longer to fix flaws as patches have to pass through quality-control testing by both the manufacturer and carrier.
Faster patching of vulnerabilities in common frameworks is the first step to eliminating the threat of compromise, say researchers. Making the problems more visible, through contests such as Pwn2Own has helped, says Iozzo.
“I noticed though that thanks to competitions like Pwn2own the situation is improving in terms of speeding up patch cycles in commercial applications when new WebKit vulnerabilities are found,” he says.
Better patching is not enough, however, as developers will be hard pressed to keep up with vulnerability discoveries. Apple, for example, patched nearly 50 Webkit vulnerabilities in a single update in March, including CVE-2010-1824. Among the dozens of other developers that use Webkit, most do not even make note of security fixes, making it difficult to gauge their response time.
Instead of keeping up with the attackers, software developers need to make their applications harder to exploit, says security expert Dino Dai Zovi. Both Apple and Google have already done this by placing the Webkit code in a sandbox, protecting an end user’s system from attacks that exploit flaws in the rendering engine.
“People need to stop focusing on the specific vulnerabilities, and focus on making exploitability hard,” Dai Zovi says.
Only then will common frameworks, such as Webkit, be — in the words of the Hitchhiker’s Guide to the Galaxy — mostly harmless.