The WebKit rendering engine used in many Linux applications is a complete security mess. That’s the takeaway from a blog post by Michael Catanzaro, who works on GNOME’s WebKitGTK+ project. He’s sounding the alarm about a problem the open-source community needs to fix.

The problem with WebKit

Most web browsers issue regular security updates to their users. But, if you’re using a WebKit-based browser, or email client, or any other application that uses that rendering engine, on Linux, you almost certainly aren’t getting security updates.

WebKit is a large open-source project. Apple uses WebKit for Safari on Mac and iOS, and those versions of WebKit receive regular security updates. But the WebKit port used for Linux does not.

The common port used by Linux distros is WebKitGTK+, which is associated with GNOME software and other applications that use the GTK+ toolkit. This includes Epiphany, GNOME’s flagship web browser, often called simply “Web” or “GNOME Web.” It also includes a variety of other applications, such as the Evolution email client, Midori web browser, GIMP image-editing program, Banshee and Rhythmbox media players, and many other programs.

Historically, WebKitGTK+ hasn’t had security updates. Updates were released with security fixes, but the project didn’t provide CVE numbers, so Linux distributions didn’t issue them as updates. The project did release a security advisory listing over 130 fixed issues at the end of December, however. That was over a month ago, and only Fedora has made changes to accommodate these updates. Worse, even if these updates were rolled out on a frequent basis, some applications still rely on older versions of WebKit that no longer receive any updates at all, including security updates.

This isn’t just a GNOME problem. The KDE project is moving away from WebKit and towards the Chromium-based QtWebEngine. But many applications still rely on a WebKit port called QtWebKit, which is now years out of date. Applications like the KMail email client, Rekonq web browser, KTorrent BitTorrent client, Amarok media player, and others use this old version of WebKit, which contains numerous security holes.

This isn’t even just a Linux problem. Any PC game or other Windows application that ships with an embedded version of WebKit likely has a huge number of unpatched security holes in its embedded web browser, too.

This is a big topic. To really understand the details, read Michael Catanzaro’s full blog post.

Ubuntu includes Firefox and Thunderbird, and that’s probably for the best.

Mozilla’s Gecko and Google’s Blink do get updates

To stay properly secure when web browsing on Linux, you should avoid web browsers based on WebKit. Web browsers based on Mozilla Firefox and Google’s Chromium project do receive timely security updates, and they should be your go-to options. Debian officially advises using a Firefox or Chromium-based browser for this reason.

The Mozilla Firefox web browser that some Linux distributions use is good, although it may be called by a different name. On Debian, for example, it’s called Iceweasel. These browsers are based on Mozilla's Gecko engine.

Some Linux distributions provide Chromium, the open-source version of Google’s Chrome. It too receives security updates. You can also install Google Chrome directly from Google, and Google will provide its own security updates for you. These browsers use Google’s Blink engine.

Try to stay away from email clients that rely on WebKit, too. You could use web-based email, or try the desktop-based Mozilla Thunderbird. Like Firefox, it’s based on Mozilla’s Gecko engine. Thunderbird isn’t receiving new features, but it is receiving security updates.

If you do want to use WebKit-based applications, you should use a Linux distribution that regularly ships updated versions of WebKitGTK+ soon after they’re released. According to the blog post, this is currently only Fedora and Arch, although the testing versions of Debian, OpenSUSE, and Gentoo are also updated. Even if you use these Linux distributions, the applications themselves that rely on older ports of WebKit will still be vulnerable.