Researchers from the Google Project Zero team have disclosed details of a vulnerability within Apple Safari. The team says the vulnerability was actively exploited in the wild.
Tracked as CVE-2022-22620, the vulnerability saw its first fix in 2013. However, by 2016, experts found a way to bypass the fix. The vulnerability has since been fixed.
Vulnerability in Apple Safari Sticks Around for Five Years
The zero-day vulnerability has been addressed by Apple in the WebKit affecting iOS, iPadOS, macOS and Safari, which may have been actively exploited in the wild. While there was a fix by Apple back in February, it is a use-after-free issue that could see exploitation by processing maliciously crafted HTLM web content. This leads to arbitrary code execution.
Essentially, use-after-free (UAF) is a vulnerability that relates to incorrect use of dynamic memory during program operation. After freeing a memory location, if a program does not the clear the pointer to that memory, a hacker is able to use that error to hack the program.
A security advisory published by Apple stated, “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited”.
Additionally, Google researcher Maddie Stone adds, “A use after free issue was addressed with improved memory management. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.”
An anonymous researcher was the one to report the vulnerability, Cupertino addressed the issue by improving memory management.
Stone analyzed changes to Safari over the years, starting by analyzing the code for the patch shared by Apple as well as the description of the issue from the security bulletin stating that the vulnerability is use-after-free.
Stone stated,
“Whenever I’m doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.”
Tracking the Timeline
Additionally, the researcher also observed that commits dated October 16 and December 16 were very large. Stone also discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. Concerning the commit in December, it changed 95 files with 1336 additions and 1325 deletions.
An expert concludes that the vulnerability was saw a complete fix in 2013, though during a refactoring in 2016 the fix saw a regression. Therefor, between December 2016 and January 2022 the vulnerability once agains was able to exist.
The expert also concluded that the developers responding to the 2013 bug report followed “a lot of best-practices”.
This serves as a reminder to keep your devices updated to the latest OS. Users should also makes sure that their apps are completely up to date as well.
Users can read the full report here.