A problem in WebKit, fixed in 2013, returned to the code again in 2016 and remained unnoticed until January 2022. Attackers have already actively used it, and no one knows for how long.
Google Project Zero experts published details about a bug in the Safari browser (in the WebKit engine), which, as it turned out, had already been fixed almost ten years ago. However, in 2016 it was mistakenly returned to the code and only in 2022 was it assigned the CVE index. Hackers actively exploited this vulnerability before Apple fixed it.
CVE-2022-22620 is a use-after-free allocated memory cell error. Arbitrary code execution can be achieved by processing specially crafted web content. The vulnerability was rated 8.8 on the CVSS scale. It affects WebKit versions for iOS, iPadOS, and macOS.
Apple released updates against this bug back in February 2022. At the same time, the company said that the vulnerability could already be actively exploited by hackers, and no one knows for how long.
In 2013, Apple released an update that completely fixed the same vulnerability. At that time, she was not even assigned a CVE index.
In 2016, in October and December, massive changes were made to WebKit during the refactoring procedures, as a result of which the old fixed vulnerability was again in the code. It wasn’t until five years later that it was noticed again, when attackers started using it.
the other way
Google Project Zero technical analysis indicates that CVE-2022-22620 is exactly the same bug that was fixed in 2013, but now requires a slightly different approach to exploit it.
Yuri Sosnin, Astra: Since February, we have been experiencing an avalanche-like growth in requests for migration
Information about specific attacks and their consequences is not yet available. Since Apple devices are patched centrally, chances are that most of the supported devices are already secure.
“The return of old errors to the code, as a rule, is associated with the use of some third-party libraries: apparently, the wrong version was used during refactoring, and the error ended up in the code again,” believes Anastasia Melnikova, director of information security at SEQ. “It probably never occurred to anyone at Apple to check WebKit for a vulnerability that has already been fixed. The hackers most likely found it by pure chance. Now, however, they have a reason to go through other old vulnerabilities in the hope that some of them, too, have risen from the dead.
The authors of the Google Project Zero study noted that since the beginning of 2022, zero-day vulnerabilities in Chromium, Windows, Pixel and iOS have been repeatedly observed, which turned out to be variants of previously identified and fixed bugs.