A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
The bug was tracked as CVE-2022-22620, with a CVSS severity score of 8.8 out of 10. It had been patched in 2013 and then reintroduced in 2016 during a code refresh. In February, it was fixed again by Apple in Safari and iOS/iPadOS updates.
"Almost halfway through 2022 and it seems like we're seeing a similar trend" in such zombie flaws, Stone wrote. "Attackers don't need novel bugs to effectively exploit users with zero-days, but instead can use vulnerabilities closely related to previously disclosed ones."
Last year Stone wrote that a quarter of the zero-day vulnerabilities tracked in 2020 by Project Zero were closely related to flaws that had been publicly disclosed in the past. Typically, this happens as a result of incomplete patching by the developer or manufacturer a software update doesn't fully address the underlying flaw, leaving it still exploitable in some way.
That said, the situation with the Safari hole is a bit different. In this case, Apple completely patched the hole when the vulnerability was detected in 2013, but "itsfix was just regressedin 2016during refactoring. We don't know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for five years: December 2016 until January 2022," she wrote.
That is to say, engineers tidied up and reordered some parts of their source code, and as a result, inadvertently reintroduced the exploitable bug. See Stone's technical analysis for the full details.
The vulnerability in 2013 was a use-after-free() flaw in the History API code in the open-source WebKit engine of Safari. The API provides access to the history of the browser session and allows the user to modify the history.
The bug from 2013, and the closely related one spotted being exploited this year, both involve the History API and could be abused via a specially crafted piece of web content, giving cybercriminals the chance to gain arbitrary code execution capabilities on victims' devices.
"It's the same bug, but triggered through a different path," Stone wrote. "That's why the 2013 test case wasn't crashing the version of WebKit that should have been vulnerable to CVE-2022-22620."
She noted that developers in 2013 patched all the different paths that triggered the vulnerability, not only the one in proof-of-concept exploit code that was submitted at the time to prove a flaw existed. However, the refactoring done in December 2016 revived the vulnerability.
Source code commits in October and December 2016 were large, according to Stone. The first one changed 40 files with 900 additions and 1,225 deletions, while the second commit changed 95 files, with 1,336 additions and 1,325 deletions.
She listed refactoring among the key challenges facing developers joining such others as legacy code, short turnaround expectations for reviewers and legacy code. And she argued that developers and security teams need time to review patches particularly those done for security reasons. In addition, rewarding these efforts "will save the vendor resources in the long run," Stone wrote.
"In this case, nine years after a vulnerability was initially triaged, patched, tested, and released, the whole process had to be duplicated again, but this time under the pressure of in-the-wild exploitation."
In February, Apple released patches for the CVE-2022-22620 flaw.
Stone noted that the Apple Safari flaw wasn't the only zombie vuln situation this year. In 2022, Project Zero also has seen in-the-wild zero-days that are variants of previously disclosed bugs in Chromium, Windows, Pixel devices, and iOS.
In 2020, the group found that six of 24 zero-day exploits were closely related to vulnerabilities that had earlier been disclosed in Windows, Firefox, Chrome and Safari.
"Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," Stone wrote last year, adding that in 2020, "[One] out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored.Across the industry, incomplete patches patches that don't correctly and comprehensively fix the root cause of a vulnerability allow attackers to use 0-days against users with less effort."
John Bambenek, principal researcher with cybersecurity vendor Netenrich, told The Register that zombie 0-days typically result from incomplete patching. Software firms need to reward and value security in their products and give developers and security professionals time to audit commits for robustness.
"Companies that value features above all else will, in particular, keep seeing this problem," Bambenek said. "This problem is with software development generally. Humans are creatures of habit, so the patterns of thought and action that led to vulnerabilities also lead to their reintroduction."
Read more:
How refactoring code in Safari's WebKit resurrected 'zombie' security bug - The Register
- The Cranberries' Zombie - the story behind the incendiary song - Louder - April 22nd, 2024
- Chris Riddell on the zombie Tory government falling apart at the seams cartoon - The Guardian - April 22nd, 2024
- Zombie grave dating back 4,200 years discovered in Germany, photos show - Miami Herald - April 22nd, 2024
- Steam zombie survival game leaves early access 11 years on, and you've got one week to get it cheap - PCGamesN - April 22nd, 2024
- "Zombie" cicadas with STDs are coming to Virginia - Axios - April 22nd, 2024
- Deathtroopers is the Star Wars zombie horror game I never knew I needed - PC Gamer - April 22nd, 2024
- Zombie Army VR Reveals The Story In Latest Trailer - Bleeding Cool News - April 22nd, 2024
- Where Infected "Zombie Cicadas" In The US Will Emerge In 2024 - TheTravel - April 22nd, 2024
- Zombie anti-abortion laws are menacing American women - The Hill - April 22nd, 2024
- Joe Manganiello to Zombie It Up in Mountain Man Adaptation - Reactor - Reactor - April 22nd, 2024
- Frozen Soul Covered White Zombie and It Rules - MetalSucks - April 22nd, 2024
- Arizona's abortion ban could bring zombie laws back to life in other states - Fast Company - April 22nd, 2024
- Arizona abortion ban shows the dangers of reviving zombie laws - MSNBC - April 22nd, 2024
- Zombie fires smoldering near Canadian oil and gas wells threaten production following 2023 wildfires - WorldOil - April 22nd, 2024
- You'll Never Guess Who Doesn't Want to Repeal a Zombie Abortion Ban - The New Republic - April 22nd, 2024
- Zombie Army VR: New trailer gives a glimpse of the gruesome campaign - MIXED Reality News - April 22nd, 2024
- Zombie Tests: Is the SAT Back From the Dead? - Fair Observer - April 22nd, 2024
- How likely are you to survive a zombie apocalypse in Connecticut? You may want to travel north - Hartford Courant - April 22nd, 2024
- Missouri Reports 162 New Cases Of Deer 'Zombie' Disease In 2023 - Lake Expo - April 22nd, 2024
- Zombie Fires Pose Looming Threat to Canada's Oil and Gas Infrastructure - OilPrice.com - April 22nd, 2024
- Rob Zombie Presenting House on Haunted Hill Soundtrack on Vinyl - ComicBook.com - April 22nd, 2024
- Take on Zombie Stormtroopers In This Star Wars Fan Game - IGN - April 22nd, 2024
- The Best Zombie Game of 2023 Has a New Expansion Out Now - Esports.net News - April 22nd, 2024
- Frozen Soul Debuts Frosty Rendition of White Zombie's 'Creature of the - Knotfest - April 22nd, 2024
- 'Dawn of the Dead' at 45: A Zombie Love Affair That Never Died - The New York Times - April 12th, 2024
- Hyper-sexual 'zombie cicadas' infected with bizarre STD fungus will emerge in US - New York Post - April 12th, 2024
- Zombie malls and other retail centers getting extreme makeovers to keep up with the times - Chicago Tribune - April 12th, 2024
- 'Zombie' drug xylazine found in cannabis THC vapes in UK - BBC.com - April 12th, 2024
- Taxing health insurance: The Republican zombie that refuses to die - Roll Call - April 12th, 2024
- Fungus-infected Zombie Cicadas with hypersexuality to emerge in the US this year: Expert - Hindustan Times - April 12th, 2024
- Zombie Classic Dawn Of The Dead Coming Back to Theaters for 45th Anniversary - MetalSucks - April 12th, 2024
- E-News | 'Zombie cicadas' infected with sexually transmitted fungus expected to emerge this year in parts of US - WVU ENews - April 12th, 2024
- Deadly Zombie Sedative Penetrating The U.K.s Illicit Drugs Market - Forbes - April 12th, 2024
- Seattle Police warn that base ingredient in 'zombie drug' tranq is being sold as standalone pill - FOX 13 Seattle - April 12th, 2024
- Opinion | Today's Opinions: Haunted by zombie law and thrown into abortion time-travel - The Washington Post - The Washington Post - April 12th, 2024
- Rob Zombie Teases 'House of 1000 Corpses' Book With Rare Photos, Original Script and More! - Bloody Disgusting - April 12th, 2024
- Zombie malls getting extreme makeovers to keep up with the times - Detroit News - April 12th, 2024
- 2000s Horror Fantasy Is One Of The Most Unique Takes On The Zombie Genre - Giant Freakin Robot - April 12th, 2024
- Mysterious 'Zombie Neurons' Unlock Secrets of Learning in The Brain - ScienceAlert - April 12th, 2024
- Zombie SKUs: What They Are, How They Work & Results - JumpFly PPC Advertising News - April 12th, 2024
- Arizona Reviving Its Zombie Abortion Ban Is Trump's Doing - The Cut - April 12th, 2024
- Hyper-sexual "zombie cicadas" that are infected with sexually transmitted fungus expected to emerge this year - CBS News - April 12th, 2024
- Should we be concerned about zombie cicadas? - WGN Radio - Chicago - April 12th, 2024
- You need to play this underrated zombie shooter before it leaves Xbox Game Pass - Digital Trends - April 12th, 2024
- End the 'zombie' Comstock Act - Star Tribune - April 12th, 2024
- OPINION - Flesh-eating zombie narcotics are on our streets Britain is badly losing its war on drugs - Yahoo News UK - April 12th, 2024
- What Is Xylazine - The Flesh-Eating 'Zombie' Drug Linked To 11 Deaths in The UK? - Times Now - April 12th, 2024
- Zombie Cicadas To Emerge In Virginia: What To Know - Patch - April 12th, 2024
- What Is "Zombie Drug" Gripping The UK? - NDTV - April 12th, 2024
- OJ Simpson's Final Film Will Resurrect His Naked Gun Character - As A Zombie? - Looper - April 12th, 2024
- Flesh-eating 'zombie drug' sweeping US is linked to 11 UK deaths - The Telegraph - April 12th, 2024
- Flesh-rotting 'Zombie drug' tranq raises alarm in UK - The Times of India - April 12th, 2024
- Zombie Cicadas To Emerge In GA: What To Know - Patch - April 12th, 2024
- What was the first-ever zombie movie? - Far Out Magazine - April 12th, 2024
- Even Will Smith Couldnt Save Zombie Survival Game Undawn, Which Flopped Spectacularly - IGN - March 24th, 2024
- Rob Zombie Recommends This Surprisingly Wholesome Comedy - Dread Central - March 24th, 2024
- Army Writing and the Zombie (Noun) Apocalypse - Modern War Institute - United States Military Academy West Point - March 24th, 2024
- Fatal Fury's Mai Shiranui Is In This Zombie Survival Game For Some Reason - Time Extension - March 24th, 2024
- Should you be worried about 'zombie deer'? | College of Public Health - George Mason University - March 24th, 2024
- 'Scooby-Doo on Zombie Island' Scares Its Way to Blu-ray for the First Time This Spring - Collider - March 24th, 2024
- Rob Zombie hates my guts: GWAR's Dave 'Oderus Urungus' Brockie was a genius, and here's an interview that proves it - Louder - March 24th, 2024
- In the fight against gun violence, Rep. Frost Introduces the Destroy Zombie Guns Act - The Apopka Voice - March 24th, 2024
- Elfriede Jelinek's 'The Children of the Dead' is a historical zombie novel - The Washington Post - The Washington Post - March 24th, 2024
- Germany's Zombie Government Is Fueling the Far Right - The Atlantic - March 24th, 2024
- Zombie Survival Game Undawn Has Crashed And Burned According To A Reuters Report - MMOs.com - March 24th, 2024
- Will Smiths Zombie Game Has Been Hit Harder Than Chris Rock at the Oscars Its Astronomical Budget Was ... - imdb - March 24th, 2024
- Scooby-Doo On Zombie Island / Return to Zombie Island Blu-ray (Warner Archive Collection) - Blu-ray.com - March 24th, 2024
- Registration almost here for Dothans annual Zombie 5K Chase - WDHN - March 24th, 2024
- Zombie magic and gambling club Magic Island will come alive again this summer - Houston Chronicle - March 24th, 2024
- Undawn | The $140m zombie survival game starring Will Smith that bombed while nobody was looking - Filmstories - March 24th, 2024
- After 4 years, a cult classic zombie horror manga from Ga-Rei's creator is finally getting an official English release - Gamesradar - March 24th, 2024
- Will Smith's Zombie Game Has Been Hit Harder Than Chris Rock at the Oscars - Its Astronomical Budget Was ... - FandomWire - March 24th, 2024
- "The game literally no one knew existed": The Will Smith Zombie Survival Game is Reportedly a Big Flop and Fans Are ... - FandomWire - March 24th, 2024
- Zombie-palooza --- Get to the biggest undead music event in the latest Dead Island 2 expansion: SoLA - Gaming Trend - March 24th, 2024
- Bournemouth University medical students treat 'zombie attack' in mass training simulation - The Tab - March 24th, 2024
- Zombie car factories on the rise in China as buyers opt for EVs - Financial Times - March 16th, 2024
- Hey, Remember When Rob Zombie Was Going To Direct THE CROW 3? - FANGORIA - March 16th, 2024
- New Walking Dead Twist Shows How The Zombie Outbreak Will Finally End - Screen Rant - March 16th, 2024
- Candid conversations from death row with The Zombie Hunter - Arizona's Family - March 16th, 2024
- Zombie! The Musical - REVIEW - City Hub Sydney - March 16th, 2024
Reviewed and Recommended by Erik Baquero