A security flaw in Apple Safari that was exploited in the wild earlier this year was initially patched in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.
The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), relates to a use-after-release vulnerability in the WebKit component that could be exploited by a specially crafted web content item to gain access. execution of arbitrary code.
In early February 2022, Apple sent patches for the bug to Safari, iOS, iPadOS and macOS, while acknowledging that it “may have been actively exploited”.
“In this case, the variant has been fully patched when the vulnerability was first reported in 2013,” said Maddie Stone of Google Project Zero. said. “However, the variant was reintroduced three years later during major refactoring efforts. The vulnerability then continued to exist for 5 years until it was patched as zero day in the wild in January 2022.”
While both 2013 and 2022 bugs in the History API are essentially the same, the paths to triggering the vulnerability are different. Then, subsequent code changes undertaken years later revived the zero-day flaw like a “zombie”.
Stating that the incident is not unique to Safari, Stone further pointed out that sufficient time is needed to audit code and patches to avoid instances of patch duplication and to understand security impacts. changes made.
“The October 2016 and December 2016 commits were very large. The October commit changed 40 files with 900 additions and 1225 deletions. The December commit changed 95 files with 1336 additions and 1325 deletions,” Stone noted.
“It seems untenable for developers or reviewers to fully understand the security implications of every change to these commits, especially as they relate to lifetime semantics.”