Apple emits emergency fix for exploited-in-the-wild WebKit vulnerability

Flaw imperils Safari – and every iOS browser because of Cupertino's T&Cs

Apple on Thursday patched a zero-day security vulnerability in its WebKit browser engine, issuing updates for iOS, iPadOS, and macOS.

Its Safari browser, based on WebKit, received the security update separately for instances where it is being used with an older version of macOS, like Big Sur. Apple's tvOS was also refreshed, but without the security fix.

The updates – iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1 – address CVE-2022-22620, reported to Apple by an anonymous researcher.

"Processing maliciously crafted web content may lead to arbitrary code execution," the company's terse security advisory explains. "Apple is aware of a report that this issue may have been actively exploited."

Apple is aware of a report that this issue may have been actively exploited

CVE-2022-22620 is a use-after-free flaw that Apple says it fixed by implementing better memory management. No further details about the vulnerability or potential exploit code have been made available.

Zero-days in Apple software have been used to carry out sophisticated cyberattacks, such as those conducted by authoritarian regimes against members of civil society with the help of NSO Group's Pegasus software. In September, 2021, threat research group Citizen Lab documented a zero-day flaw called FORCEDENTRY (CVE-2021-30860) that had been used for at least eight months to compromise Apple iOS, macOS and watchOS devices.

Single point of failure

The Apple patch is relevant not just to users of Safari, which relies on WebKit, but to users of any iOS browser, because Apple requires that all iOS browsers use WebKit – a situation currently being considered by antitrust regulators in the US and UK.

Alex Russell, a program manager for Microsoft's Edge browser who formerly worked at Google and has long evangelized web technology, echoed past frustration with Apple's insistence that only WebKit is fit for iOS.

"Imagine, if you can, a world where installing an alternative browser as your default actually had a chance of protecting you from Apple's shocking underinvestment in security," he lamented via Twitter.

In defense of its practices, Apple claims "that as a result of its requirement that all browsers on iOS be based on its own browser engine, WebKit, it is more readily able to fix any privacy and security concerns that arise in a timely manner, and reduce risks for users," as the the UK's Competition and Market Authority recounted in its January 26, 2022 interim report.

Based on past data gathered by Google's Project Zero, "in a timely manner" means "not all that quickly."

In Project Zero's recent analysis of zero-day remediation, Apple's average repair time for iOS bugs is more or less the same and Google's average repair time for Android – 70 and 72 days respectively.

But when browser repairs are compared, Apple fares less well.

"WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days," wrote Project Zero researcher Ryan Schoen. "Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users."

Time to shut the stable door

The Register understands from speaking to web developers opposed to Apple's WebKit policies that a few months ago Apple started showing signs that it intends to invest in WebKit.

Since Apple's Worldwide Developer Conference last year, developers participating in Apple's ecosystem have been scolding the company for underinvesting in the web. And they have expressed concern that Safari could become the new Internet Explorer – a reference to the time Microsoft's disinterest in its once-dominant browser frustrated web developers and ultimately led to the emergence of Mozilla's Firefox, and then Google's Chrome.

"Apple Legal often uses Web Apps as a defense against AppStore anti-trust/monopoly investigations but this defense is only realistic if there's a significant investment in Apple's web platform and is seen to at least be trying to keep it competitive with native apps," wrote a developer posting under the name Niskraw. "This alone should be a good enough reason for the higher ups to give the team the budget they need."

Since September 2021, Apple has posted 35 positions with its WebKit team in the US and leaders of that group on Twitter have repeatedly solicited technical talent.

But given Apple's less-than-eager response to comply with a recent Dutch ruling requiring the company to permit third-party payment processors in local data apps, it appears to be unlikely Apple will relax its WebKit requirement in iOS unless regulators force a change. ®

Other stories you might like

  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • RubyGems polishes security practices with multi-factor authentication push
    Faced with rising software supply-chain attacks, package registries are locking things down

    Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.

    This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.

    "Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022