By Michael Catanzaro. Major Linux distributions have a problem with WebKit security. Whereas major desktop browsers push automatic security updates directly to users on a regular basis so that users don’t have to worry about updates, Linux users are dependent on their distributions to release updates. Well over 100 vulnerabilities that could allow remote code execution were fixed in WebKit last year, so getting updates out to users is critical. This talk examines the disconnect between how the WebKit project handles security issues upstream and how different major distributions do (or do not) handle security issues, shows that WebKit security issues have widespread impact even for users who do not use a WebKit-based web browser, and discusses the security consequences of the split between the original WebKit API and WebKit2.

1. August 12, 2016 KARLSRUHE
WebKit Security Updates
Michael Catanzaro (mcatanzaro@gnome.org)

2. WebKit Security Updates 2
Browser security in 45 seconds
Vulnerabilities: buffer overflows, null pointer dereferences, use-after-frees, etc.
Vulnerabilities let attackers craft exploits to gain control of your computer/phone
user account
Vulnerabilities can be mitigated by a sandbox (Chromium, Flatpak) or by
language (Rust)

3. WebKit Security Updates 3
WebKit Ports
macOS port
iOS port
Apple Windows port
WinCairo port
WebKitGTK+
WebKitEFL
(What about Chromium. . . ?)
(What about QtWebKit. . . ?)

4. WebKit Security Updates 4
WebKitGTK+
Desktop Linux + not Qt = WebKitGTK+
Flagship application is GNOME Web (Epiphany)
Other examples: Anjuta, Banshee, Devhelp, Emacs, Empathy, Evolution, Geany,
Geary, GIMP, gitg, GNOME Builder, GNOME Documents, GNOME Initial Setup,
GNOME Notes (Bijiben), GNOME Online Accounts, GnuCash, gThumb, Liferea,
Midori, Rhythmbox, Shotwell, Sushi, Yelp (GNOME Help)
Until recently, no security advisories

5. WebKit Security Updates 5
WebKit2: The Great API Break
WebKitGTK+ < 2.0: WebKit1 (and WebKit2 betas)
WebKitGTK+ 2 <= 2.4.x: WebKit1 and WebKit2
WebKitGTK+ >= 2.6.x: WebKit2
Supported transition period was two years (from 2.0 in March 2013 until 2.6 in
September 2014)
149 public vulnerabilities in WebKitGTK+ 2.4.9
Limited security update 2.4.10 fixes 27 of those
WebKit2 adoption is going very slowly
Considering removing WebKit1 apps from Fedora to speed things up

6. WebKit Security Updates 6
Recommended distros for WebKit: Arch, Fedora, Mageia
Arch: WebKitGTK+ 2.12.3
Fedora 24: WebKitGTK+ 2.12.3
Fedora 23: WebKitGTK+ 2.12.3
Mageia 5: WebKitGTK+ 2.12.3
Arch and Fedora: A
Recent Mageia update took two months, maybe still in updates-testing(?): B

7. WebKit Security Updates 7
openSUSE
openSUSE Tumbleweed: WebKitGTK+ 2.12.3
openSUSE Leap 42.1: WebKitGTK+ 2.10.7 (6 public vulnerabilities, 5 RCE)
(RCE = remote code execution)

8. WebKit Security Updates 8
RHEL, SLED
RHEL 7: WebKitGTK+ 2.4.9 (149 public vulnerabilities, 27 fixed in 2.4.10)
SLED: ???

9. WebKit Security Updates 9
Ubuntu
Ubuntu 16.10 (Yakkety): WebKitGTK+ 2.12.3
Ubuntu 16.04 (Xenial): WebKitGTK+ 2.10.9 (5 public vulnerabilities, 4 RCE)
Ubuntu 15.10 (Wily): WebKitGTK+ 2.8.5 (60 public vulnerabilities) (EOLed 2
weeks ago) (universe)
Ubuntu 14.04 (Trusty): WebKitGTK+ 2.4.10 (122 public vulnerabilities)
(WebKit1)

10. WebKit Security Updates 10
Debian
Zero security updates for stable
Debian Testing (Stretch): WebKitGTK+ 2.12.3
Debian 8.5 (Jessie): WebKitGTK+ 2.6.2 (106 public vulnerabilities)
Jessie Backports: WebKitGTK+ 2.12.0 (4 public vulnerabilities, all 4 RCE)
Debian 7.11 (Wheezy): WebKitGTK+ 1.8.1 (WebKit1)

11. WebKit Security Updates 11
Debian
Debian 8 includes several browser engines which are affected by a steady
stream of security vulnerabilities. The high rate of vulnerabilities and partial
lack of upstream support in the form of long term branches make it very
difficult to support these browsers with backported security fixes.
Additionally, library interdependencies make it impossible to update to newer
upstream releases. Therefore, browsers built upon the webkit, qtwebkit and
khtml engines are included in Jessie, but not covered by security support.
These browsers should not be used against untrusted websites.
For general web browser use we recommend Iceweasel or Chromium.
Chromium – while built upon the Webkit codebase – is a leaf package, which
will be kept up-to-date by rebuilding the current Chromium releases for
stable. Iceweasel and Icedove will also be kept up-to-date by rebuilding the
current ESR releases for stable.

12. WebKit Security Updates 12
Why not update?
Stuck on WebKit1 (RHEL, SLED, old Debian/Ubuntu)
Fear of regressions (modern Debian, Ubuntu)
Not paying attention (everyone else)

13. WebKit Security Updates 13
Why not patch downstream?
Highly impractical
Requires specialized expertise to handle conflicts
How to decide which patches to take, if not following upstream?

14. WebKit Security Updates 14
Vulnerabilities are bad, but keep things in perspective
Vulnerabilities are not exploits
You are still relatively safe from non-targeted exploits using GNU/Linux
Be more concerned about man-in-the-middle attacks: WebKit1 apps rarely do
proper certificate verification (e.g. Midori, Xombrero, Raspberry Pi browser,
Banshee, Shotwell)