A safety flaw in Apple Safari that was exploited within the wild earlier this yr was initially mounted in 2013 and reintroduced in December 2016, in keeping with a brand new report from Google Challenge Zero.
The difficulty, tracked as CVE-2022-22620 (CVSS rating: 8.8), considerations a case of a use-after-free vulnerability within the WebKit element that might be exploited by a bit of specifically crafted net content material to realize arbitrary code execution.
In early February 2022, Apple shipped patches for the bug throughout Safari, iOS, iPadOS, and macOS, whereas acknowledging that it “might have been actively exploited.”
“On this case, the variant was utterly patched when the vulnerability was initially reported in 2013,” Maddie Stone of Google Challenge Zero mentioned. “Nevertheless, the variant was reintroduced three years later throughout massive refactoring efforts. The vulnerability then continued to exist for five years till it was mounted as an in-the-wild zero-day in January 2022.”
Whereas each the 2013 and 2022 bugs within the Historical past API are primarily the identical, the paths to set off the vulnerability are completely different. Then subsequent code modifications undertaken years later revived the zero-day flaw from the lifeless like a “zombie.”
Stating the incident isn’t distinctive to Safari, Stone additional pressured taking satisfactory time to audit code and patches to keep away from situations of duplicating the fixes and understanding the safety impacts of the modifications being carried out.
“Each the October 2016 and the December 2016 commits have been very massive. The commit in October modified 40 recordsdata with 900 additions and 1225 deletions. The commit in December modified 95 recordsdata with 1336 additions and 1325 deletions,” Stone famous.
“It appears untenable for any builders or reviewers to know the safety implications of every change in these commits intimately, particularly since they’re associated to lifetime semantics.”
