How refactoring code in Safari's WebKit resurrected 'zombie' security bug

Fixed in 2013, reinstated in 2016, exploited in the wild this year


A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

The bug was tracked as CVE-2022-22620, with a CVSS severity score of 8.8 out of 10. It had been patched in 2013 and then reintroduced in 2016 during a code refresh. In February, it was fixed again by Apple in Safari and iOS/iPadOS updates.

"Almost halfway through 2022 and it seems like we're seeing a similar trend" in such zombie flaws, Stone wrote. "Attackers don't need novel bugs to effectively exploit users with zero-days, but instead can use vulnerabilities closely related to previously disclosed ones."

Last year Stone wrote that a quarter of the zero-day vulnerabilities tracked in 2020 by Project Zero were closely related to flaws that had been publicly disclosed in the past. Typically, this happens as a result of incomplete patching by the developer or manufacturer – a software update doesn't fully address the underlying flaw, leaving it still exploitable in some way.

That said, the situation with the Safari hole is a bit different. In this case, Apple completely patched the hole when the vulnerability was detected in 2013, but "its fix was just regressed in 2016 during refactoring. We don't know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for five years: December 2016 until January 2022," she wrote.

That is to say, engineers tidied up and reordered some parts of their source code, and as a result, inadvertently reintroduced the exploitable bug. See Stone's technical analysis for the full details.

The vulnerability in 2013 was a use-after-free() flaw in the History API code in the open-source WebKit engine of Safari. The API provides access to the history of the browser session and allows the user to modify the history.

The bug from 2013, and the closely related one spotted being exploited this year, both involve the History API and could be abused via a specially crafted piece of web content, giving cybercriminals the chance to gain arbitrary code execution capabilities on victims' devices.

"It's the same bug, but triggered through a different path," Stone wrote. "That's why the 2013 test case wasn't crashing the version of WebKit that should have been vulnerable to CVE-2022-22620."

She noted that developers in 2013 patched all the different paths that triggered the vulnerability, not only the one in proof-of-concept exploit code that was submitted at the time to prove a flaw existed. However, the refactoring done in December 2016 revived the vulnerability.

Source code commits in October and December 2016 were large, according to Stone. The first one changed 40 files with 900 additions and 1,225 deletions, while the second commit changed 95 files, with 1,336 additions and 1,325 deletions.

She listed refactoring among the key challenges facing developers – joining such others as legacy code, short turnaround expectations for reviewers and legacy code. And she argued that developers and security teams need time to review patches – particularly those done for security reasons. In addition, rewarding these efforts "will save the vendor resources in the long run," Stone wrote.

"In this case, nine years after a vulnerability was initially triaged, patched, tested, and released, the whole process had to be duplicated again, but this time under the pressure of in-the-wild exploitation."

Apple fixes the issue, but isn't alone

In February, Apple released patches for the CVE-2022-22620 flaw.

Stone noted that the Apple Safari flaw wasn't the only zombie vuln situation this year. In 2022, Project Zero also has seen in-the-wild zero-days that are variants of previously disclosed bugs in Chromium, Windows, Pixel devices, and iOS.

In 2020, the group found that six of 24 zero-day exploits were closely related to vulnerabilities that had earlier been disclosed in Windows, Firefox, Chrome and Safari.

"Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," Stone wrote last year, adding that in 2020, "[One] out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches – patches that don't correctly and comprehensively fix the root cause of a vulnerability – allow attackers to use 0-days against users with less effort."

John Bambenek, principal researcher with cybersecurity vendor Netenrich, told The Register that zombie 0-days typically result from incomplete patching. Software firms need to reward and value security in their products and give developers and security professionals time to audit commits for robustness.

"Companies that value features above all else will, in particular, keep seeing this problem," Bambenek said. "This problem is with software development generally. Humans are creatures of habit, so the patterns of thought and action that led to vulnerabilities also lead to their reintroduction." ®


Other stories you might like

  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Apple update approach 'not realistic' in enterprise, but login 'shim' gets thumbsup
    JumpCloud SME report also finds remote workers getting better at following best security practices

    Not many people are talking about Apple's recent WWDC from an enterprise standpoint. But identity and machine management tool maker JumpCloud says a "shim" to connect "the login to the device through to the Safari browser" is a notable development.

    JumpCloud provides identity services, which is why chief strategy officer Greg Keller zeroed in on the feature, which his company details further in its latest IT trends report.

    The result, said Keller, was "an even more powerful login experience into these devices."

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022