CVE-2022-22620 is a security vulnerability in Apple’s Safari browser which has been exploited in the wild. Originally patched in 2013, the flaw re-emerged in December 2016, Maddie Stone from Google Project Zero said in her analysis.
The researcher referred to the vulnerability as a “zombie” Safari zero-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022,” she said.
CVE-2022-22620: What Happened?
According to the official technical description, the vulnerability is a use after free issue fixed with improved memory management. Originally, it was fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 166188.8.131.52.8 and 156184.108.40.206.8). The vulnerability could be used in arbitrary code execution in case of processing maliciously crafted web content.
“In this case, the variant was completely patched when the vulnerability was initially reported in 2013. However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022,” Stone wrote.
It is noteworthy that both the 2013 and the 2022 variants of the vulnerability are the same as per the History API. However, the paths to trigger it are different. The vulnerability was resurrected again after some code changes. More specifically, the researcher’s analysis shows that “it’s due to the October 2016 changes in HistoryItem:stateObject.”
The morale of this case is that both code and patches should be audited adequately to avoid duplicating fixes. It is also very important for developers to understand the security impacts of any changes they implement to the code. According to Stone who carefully inspected the commits, both the October and December 2016 ones were quite large.
“The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions. It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they’re related to lifetime semantics,” the researcher noted.
In the case of the CVE-2022-22620 vulnerability, 9 years after it was initially triaged, patched, tested, and released, the whole process had to be duplicated again, but this time under the pressure of in-the-wild exploitation.
“While this case study was a 0-day in Safari/WebKit, this is not an issue unique to Safari. Already in 2022, we’ve seen in-the-wild 0-days that are variants of previously disclosed bugs targeting Chromium, Windows, Pixel, and iOS as well. It’s a good reminder that as defenders we all need to stay vigilant in reviewing and auditing code and patches.“ Stone concluded.