Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

A security flaw in Apple Safari that was exploited in the wild
earlier this year was originally fixed in 2013 and reintroduced in
December 2016, according to a new report from Google Project
Zero.

The issue, tracked as CVE-2022-22620^[1]
(CVSS score: 8.8), concerns a case of a use-after-free
vulnerability in the WebKit component that could be exploited by a
piece of specially crafted web content to gain arbitrary code
execution.

In early February 2022, Apple shipped patches for the bug across
Safari, iOS, iPadOS, and macOS, while acknowledging that it “may
have been actively exploited.”

“In this case, the variant was completely patched when the
vulnerability was initially reported in 2013,” Maddie Stone of
Google Project Zero said^[2]. “However, the variant
was reintroduced three years later during large refactoring
efforts. The vulnerability then continued to exist for 5 years
until it was fixed as an in-the-wild zero-day in January 2022.”

While both the 2013^[3]
and 2022^[4]
bugs in the History API^[5]
are essentially the same, the paths to trigger the vulnerability
are different. Then subsequent code changes undertaken years later
revived the zero-day flaw from the dead like a “zombie.”

Stating the incident is not unique to Safari, Stone further
stressed taking adequate time to audit code and patches to avoid
instances of duplicating the fixes and understanding the security
impacts of the changes being carried out.

“Both the October 2016 and the December 2016 commits were very
large. The commit in October changed 40 files with 900 additions
and 1225 deletions. The commit in December changed 95 files with
1336 additions and 1325 deletions,” Stone noted.

“It seems untenable for any developers or reviewers to
understand the security implications of each change in those
commits in detail, especially since they’re related to lifetime
semantics.”