Safari is the browser used on all iOS devices. However, an old vulnerability was found to be exploited in the wild earlier this year; it is a bit surprising how old it is, which led the Google Project Zero team to give a very detailed report on this failure. Know the details in the following article.
Apple has been patching an old Safari vulnerability
Safari, like any good browser of an operating system, has been changing and improving over the years. But there is a flaw from 2013 that has remained exploited in the wild. In fact, this same vulnerability had been quiet for a few years, resurfaced in 2016, and earlier this year, it was back on researchers’ radar.
As The Hackers News explains: “The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.”
In February of this year, Apple released patches to resolve this vulnerability across all of its connecting devices, claiming a small acknowledgment of active exploitation of the vulnerability. The worrying thing is not the vulnerability itself (these will always exist) but that it took so long to repair one of its variants, as explained by the Google Project Zero team:
“In this case, the variant was completely patched when the vulnerability was initially reported in 2013,” Maddie Stone said. “However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022.”
For this team of researchers, these kinds of vulnerabilities are like zombies, but the ways to activate them are different. They are still the same flaws that return from the afterlife. For Google Project Zero, it is important that developers take into account failure histories.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Raagesh C on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp