The CVE-2022-22620 Vulnerability
New research from Google Project Zero reveals that a vulnerability in Apple’s Safari, which was exploited in the wild earlier this year, was patched in 2013 and reintroduced in December 2016. The vulnerability, which is tracked as CVE-2022-22620 and has a CVSS score of 8.8, is a use-after-free problem in WebKit. The flaw has the potential to be exploited by a piece of carefully crafted web content that can get authorization to execute arbitrary code.
Apple acknowledged that the Safari bug “may have been actively abused” when it announced the solutions for it at the beginning of February 2022, but the company did not disclose any more information at that time.
Google Project Zero’s Maddie Stone says that when the problem was brought to light for the first time in 2013, the vulnerability was completely addressed and remedied. However, when significant reorganizational efforts were put in place three years later, the flaw was brought back to life. The vulnerability remained unpatched for the subsequent five years until it was finally patched as a zero-day exploit in January 2022.
According to the information that has been provided, the issue is not unique to Safari, and the zero-day vulnerability was brought back to life as a “zombie” in subsequent code changes several years later.
In the report, Stone says that there were a significant number of modifications made to Safari between October 2016 and December 2016. In October, there were 40 modifications made, including the addition of 900 new lines and the deletion of 1225 lines. In December, there were 1336 changes made, including 1325 deletions, and they were spread among 95 distinct files.
The report concluded that modifications to lifetime semantics make it difficult for both developers and reviewers to evaluate the security implications of any change made in those contributions, but taking all of this into mind, Stone emphasized the importance of carefully auditing code and patches, saying that it is necessary to do so in order to avoid having to repeat repairs and to comprehend the consequences of changes made for users’ safety.
It is unknown how long an attacker has made use of this vulnerability in the wild, nonetheless, the bug existed from December 2016 all the way until January 2022. This new discovery serves as a helpful reminder that in their role as defenders, security researchers have a responsibility to carefully study and audit any contributions and changes and that users should be fast to implement the latest fixes.