Google researchers detail 5-year Apple Safari vulnerability exploited in the wild


A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.

The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted Web content to attack arbitrary to get code execution.

In early February 2022, Apple released patches for the bug in Safari, iOS, iPadOS and macOS, while acknowledging that it “may have been actively exploited”.

“In this case, the variant was fully patched when the vulnerability was first reported in 2013,” Maddie Stone of Google Project Zero said† “However, the variant was reintroduced three years later during major refactoring efforts. The vulnerability then persisted for 5 years until it was identified as an in-the-wild zero-day in January 2022.”

While both the 2013 and 2022 bugs in the History API are essentially the same, the paths to activate the vulnerability are different. Subsequent code changes made years later revived the zero-day error like a “zombie” from the dead.

Stone further stressed that the incident is not unique to Safari and further stressed that it should take adequate time to review code and patches to avoid duplicating the fixes and to understand the security impact of the changes being made.

“Both the October 2016 and December 2016 commits were very large. The October commit changed 40 files with 900 additions and 1,225 deletions. The December commit changed 95 files with 1,336 additions and 1,325 deletions,” Stone noted.

“It seems untenable for developers or reviewers to understand in detail the security implications of every change to those commits, especially since they are related to lifetime semantics.”