Safari was susceptible to a zombie security flaw for more than five years, which was fixed in 2013 before coming back to life in 2016.
Google’s Project Zero team, in charge of discovering zero-day vulnerabilities, returned to the story of a security breach described as “zombie” affecting the Safari browser, and therefore Apple devices.
The 2013 patch was not enough
This is the vulnerability known as CVE-2022-22620, which has a CVSS severity score of 8.8/10. It exploited weaknesses in WebKit, an Apple-designed platform that offers developers tools related to integrating a web page rendering engine into a browser.
The security flaw specifically concerns WebKit’s History API. It allowed hackers to inject and execute arbitrary code for malicious purposes and could be actively exploited, according to Apple’s own admissions.
What is surprising in the case of this vulnerability is that it was originally identified and corrected by Apple as early as 2013… before making its comeback, hence the sobriquet of “zombie” granted by the researchers of Project Zero .
A flaw that could be exploited from December 2016 to January 2022
According to Maddie Stone, one of the experts who discovered the flaw, a variant of it reappeared three years after it was fixed in 2016. The attack uses the same bugs as the older version, but it takes different paths to press where it hurts. The code has also been modified to circumvent the protections put in place by Apple.
For more than five years, Safari was therefore sensitive to this second generation security flaw. Apple finally released an update to Safari, iOS, iPadOS and macOS in February 2022 to get rid of it, hopefully this time around.
The author of the article detailing this case clears Apple’s teams of any responsibility, admitting that there is no easy answer to what should have been done differently and that the developers who patched the flaw in 2013 “followed many good practices”
In particular, they had fixed all the ways to trigger the vulnerability, not just the path used for the proof of concept. They had also explained well in the commits the nature of the flaw and how they were going to fix it.
On the same subject :
Update Google Chrome to patch these 4 important vulnerabilities
Source : Project Zero
7