Apple emits emergency fix for exploited-in-the-wild WebKit vulnerability

Apple on Thursday patched a zero-day security vulnerability in its WebKit browser engine, issuing updates for iOS, iPadOS, and macOS.

Its Safari browser, based on WebKit, received the security update separately for instances where it is being used with an older version of macOS, like Big Sur. Apple's tvOS was also refreshed, but without the security fix.

The updates – iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1 – address CVE-2022-22620, reported to Apple by an anonymous researcher.

"Processing maliciously crafted web content may lead to arbitrary code execution," the company's terse security advisory explains. "Apple is aware of a report that this issue may have been actively exploited."

Apple is aware of a report that this issue may have been actively exploited

CVE-2022-22620 is a use-after-free flaw that Apple says it fixed by implementing better memory management. No further details about the vulnerability or potential exploit code have been made available.

Zero-days in Apple software have been used to carry out sophisticated cyberattacks, such as those conducted by authoritarian regimes against members of civil society with the help of NSO Group's Pegasus software. In September, 2021, threat research group Citizen Lab documented a zero-day flaw called FORCEDENTRY (CVE-2021-30860) that had been used for at least eight months to compromise Apple iOS, macOS and watchOS devices.

Single point of failure

The Apple patch is relevant not just to users of Safari, which relies on WebKit, but to users of any iOS browser, because Apple requires that all iOS browsers use WebKit – a situation currently being considered by antitrust regulators in the US and UK.

Alex Russell, a program manager for Microsoft's Edge browser who formerly worked at Google and has long evangelized web technology, echoed past frustration with Apple's insistence that only WebKit is fit for iOS.

"Imagine, if you can, a world where installing an alternative browser as your default actually had a chance of protecting you from Apple's shocking underinvestment in security," he lamented via Twitter.

In defense of its practices, Apple claims "that as a result of its requirement that all browsers on iOS be based on its own browser engine, WebKit, it is more readily able to fix any privacy and security concerns that arise in a timely manner, and reduce risks for users," as the the UK's Competition and Market Authority recounted in its January 26, 2022 interim report.

• Microsoft manages a mere 51 security fixes for February update bundle
• Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware
• Critical 'remote escalation' flaw in Android 12 fixed in Feb security patch batch
• Remote code execution vulnerability in Samba due to macOS interop module

Based on past data gathered by Google's Project Zero, "in a timely manner" means "not all that quickly."

In Project Zero's recent analysis of zero-day remediation, Apple's average repair time for iOS bugs is more or less the same and Google's average repair time for Android – 70 and 72 days respectively.

But when browser repairs are compared, Apple fares less well.

"WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days," wrote Project Zero researcher Ryan Schoen. "Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users."

Time to shut the stable door

The Register understands from speaking to web developers opposed to Apple's WebKit policies that a few months ago Apple started showing signs that it intends to invest in WebKit.

Since Apple's Worldwide Developer Conference last year, developers participating in Apple's ecosystem have been scolding the company for underinvesting in the web. And they have expressed concern that Safari could become the new Internet Explorer – a reference to the time Microsoft's disinterest in its once-dominant browser frustrated web developers and ultimately led to the emergence of Mozilla's Firefox, and then Google's Chrome.

"Apple Legal often uses Web Apps as a defense against AppStore anti-trust/monopoly investigations but this defense is only realistic if there's a significant investment in Apple's web platform and is seen to at least be trying to keep it competitive with native apps," wrote a developer posting under the name Niskraw. "This alone should be a good enough reason for the higher ups to give the team the budget they need."

Since September 2021, Apple has posted 35 positions with its WebKit team in the US and leaders of that group on Twitter have repeatedly solicited technical talent.

But given Apple's less-than-eager response to comply with a recent Dutch ruling requiring the company to permit third-party payment processors in local data apps, it appears to be unlikely Apple will relax its WebKit requirement in iOS unless regulators force a change. ®