Ask HN: What happened to Apples “rapid response” security updates

[cookiengineer]

The current CVE-2023-37450 seems to be related to the InjectedBundle API, which also allows IndexedDB access.

Back in 2021 there was the "history leaking" bug where you could write a little JS code to access the devtools whose window shared the IndexedDB with the rest of all tabs (and cookies, and userdata etc).

If you take a look at the recent WebKit commits, it seems like there were a bunch of bugs related to the InjectedBundle, that's why I am assuming it might be a critical RCE that results in yet another use after free in the IndexedDB or related code.

Back when I forked off RetroKit as a WebKit fork, I also decided to reduce the attack surface in terms of what is shared across the web contexts. I decided to remove a lot of APIs that I thought were too unsafe, both in terms of tracking and exploitation. [3]

[1] https://googleprojectzero.github.io/0days-in-the-wild/0day-R...

[2] https://github.com/WebKit/WebKit/commits

(see also the other release versions, not only main branch)

[3] https://github.com/tholian-network/retrokit/blob/main/SECURI...

[moritzwarhier]

Thanks for the thorough explanation! IIRC, IndexedDB or WebSQL has spectacularly failed, sadly, as it was meant to fill a real need. I'm sure there are many legitimate apps and sites using it, especially for PWA offline functonality... but I've only seen one of them in my career as a web dev so far.

And to be honest, the only reason they used it was because the developer probably wanted to.

So thinking twice, no, it wasn't a legitimate use, the 2KB of unstructured data they stored were easy to fit into localStorage...

But thinking about more complex apps, I'm now curious to find out if my assumption is correct. More complex apps probably extensively use it for offline functionality and state management... or don't they?

[cookiengineer]

Back in those days there were also the Filesystem API in discussion (and stage0/1 iirc).

From a web app devs perspective there was a huge need for file processing in the client, where the Blob API wasn't enough. The use case was e.g. batch processing or opening/uploading a folder with a bunch of files in them.

Sadly the limitations for web contexts were easily exploited by using dozens of subdomains, so you could DDoS the filesystem of the client with it and break out of the 80/100MB limit for each context in all browsers.

I am very sad to see the html5 manifest gone, because it was a superb way to describe online/offline assets that can/should/must be cached.

The combination of the removal of all those APIs basically pushed native apps again, because web apps are pretty useless as file selectors and all the hacks around input fields (even with WebKit's custom file picker). Even electron started at some point to offer custom APIs for file handling (and database handling) because of it, so I'd argue that the overall offline initiative was a huge disaster.

Now we have 10+ years outdated code in the devtools in browsers which use APIs that are not even available in web contexts anymore, and they are nothing more than a pointless maintenance burden.

I wish there was a smarter way to describe C ABIs inside C/C++ code, but sadly there isn't. The outdated headers and the data types serialization/deserialization from web context to web context is usually what results in use after free bugs in the C code that doesn't expect it. Add the casual heap spraying bugs and you've got a factory for RCEs that are easy to implement.

Servo and its idea of "how to program a browser that interacts with other embedded languages" could have changed so much about this state of program bugs and issues.

C ABIs are not enough anymore, yet they are the only way programs can interact with each other.

And I'd argue it's a huge fail of the software industry, and it has to change if we ever don't want to think about this anymore.