A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
The bug was tracked as CVE-2022-22620, with a CVSS severity score of 8.8 out of 10. It had been patched in 2013 and then reintroduced in 2016 during a code refresh. In February, it was fixed again by Apple in Safari and iOS/iPadOS updates.
"Almost halfway through 2022 and it seems like we're seeing a similar trend" in such zombie flaws, Stone wrote. "Attackers don't need novel bugs to effectively exploit users with zero-days, but instead can use vulnerabilities closely related to previously disclosed ones."
Last year Stone wrote that a quarter of the zero-day vulnerabilities tracked in 2020 by Project Zero were closely related to flaws that had been publicly disclosed in the past. Typically, this happens as a result of incomplete patching by the developer or manufacturer a software update doesn't fully address the underlying flaw, leaving it still exploitable in some way.
That said, the situation with the Safari hole is a bit different. In this case, Apple completely patched the hole when the vulnerability was detected in 2013, but "itsfix was just regressedin 2016during refactoring. We don't know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for five years: December 2016 until January 2022," she wrote.
That is to say, engineers tidied up and reordered some parts of their source code, and as a result, inadvertently reintroduced the exploitable bug. See Stone's technical analysis for the full details.
The vulnerability in 2013 was a use-after-free() flaw in the History API code in the open-source WebKit engine of Safari. The API provides access to the history of the browser session and allows the user to modify the history.
The bug from 2013, and the closely related one spotted being exploited this year, both involve the History API and could be abused via a specially crafted piece of web content, giving cybercriminals the chance to gain arbitrary code execution capabilities on victims' devices.
"It's the same bug, but triggered through a different path," Stone wrote. "That's why the 2013 test case wasn't crashing the version of WebKit that should have been vulnerable to CVE-2022-22620."
She noted that developers in 2013 patched all the different paths that triggered the vulnerability, not only the one in proof-of-concept exploit code that was submitted at the time to prove a flaw existed. However, the refactoring done in December 2016 revived the vulnerability.
Source code commits in October and December 2016 were large, according to Stone. The first one changed 40 files with 900 additions and 1,225 deletions, while the second commit changed 95 files, with 1,336 additions and 1,325 deletions.
She listed refactoring among the key challenges facing developers joining such others as legacy code, short turnaround expectations for reviewers and legacy code. And she argued that developers and security teams need time to review patches particularly those done for security reasons. In addition, rewarding these efforts "will save the vendor resources in the long run," Stone wrote.
"In this case, nine years after a vulnerability was initially triaged, patched, tested, and released, the whole process had to be duplicated again, but this time under the pressure of in-the-wild exploitation."
In February, Apple released patches for the CVE-2022-22620 flaw.
Stone noted that the Apple Safari flaw wasn't the only zombie vuln situation this year. In 2022, Project Zero also has seen in-the-wild zero-days that are variants of previously disclosed bugs in Chromium, Windows, Pixel devices, and iOS.
In 2020, the group found that six of 24 zero-day exploits were closely related to vulnerabilities that had earlier been disclosed in Windows, Firefox, Chrome and Safari.
"Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," Stone wrote last year, adding that in 2020, "[One] out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored.Across the industry, incomplete patches patches that don't correctly and comprehensively fix the root cause of a vulnerability allow attackers to use 0-days against users with less effort."
John Bambenek, principal researcher with cybersecurity vendor Netenrich, told The Register that zombie 0-days typically result from incomplete patching. Software firms need to reward and value security in their products and give developers and security professionals time to audit commits for robustness.
"Companies that value features above all else will, in particular, keep seeing this problem," Bambenek said. "This problem is with software development generally. Humans are creatures of habit, so the patterns of thought and action that led to vulnerabilities also lead to their reintroduction."
Read more:
How refactoring code in Safari's WebKit resurrected 'zombie' security bug - The Register
- Zombie car factories on the rise in China as buyers opt for EVs - Financial Times - March 16th, 2024
- Hey, Remember When Rob Zombie Was Going To Direct THE CROW 3? - FANGORIA - March 16th, 2024
- New Walking Dead Twist Shows How The Zombie Outbreak Will Finally End - Screen Rant - March 16th, 2024
- Candid conversations from death row with The Zombie Hunter - Arizona's Family - March 16th, 2024
- Zombie! The Musical - REVIEW - City Hub Sydney - March 16th, 2024
- A Gorgeous Harp and Guitar String Duet of 'Zombie' by The Cranberries in Honor of Alexei Navalny - Laughing Squid - March 16th, 2024
- Y2K Review: A 1999 Youth Nostalgia Comedy That Turns Into an Attack-of-the-Computers Zombie Movie. But Only the First One Is Fun - Variety - March 16th, 2024
- AMC Announces Every Zombie in The Walking Dead Getting Its Own Spin-Off - Hard Drive - March 16th, 2024
- The Growing Threat of Zombie Code - CXOToday.com - March 16th, 2024
- The Greatest Zombie Movie Ever Gets Theatrical Return For Anniversary - Giant Freakin Robot - March 16th, 2024
- You won't expect which fighting game character pops up in this random mobile zombie game trailer for a bizarre ... - EventHubs - March 16th, 2024
- Coby White, Butler and the 'Zombie Heat,' Fontecchio Are All Here to Stay - Canis Hoopus - March 16th, 2024
- 'Land of the Dead' 19 Years Later: Romero's Return Was Smarter Than the Average Zombie Movie - Bloody Disgusting - March 16th, 2024
- Z Nation Season 6: SYFY Tease Return of Zombie Series 6 Years After Its Death - ComingSoon.net - March 16th, 2024
- Zombie! The Musical (Hayes Theatre Co) - Limelight - March 16th, 2024
- Get This Definitive Edition Zombie Game For Free Right Now On Steam - Screen Rant - February 19th, 2024
- The Best Ghost and Zombie Movie Romances - Vulture - February 19th, 2024
- The couple trying to keep killer 'zombie viruses' at bay - and protect us from another pandemic - The Telegraph - February 19th, 2024
- Meet the Serbian Businessman/DJ Who Runs the Zombie AI Southwest Journal - Racket - February 19th, 2024
- Dead Island 2 Spreading Its Zombie Virus to Steam in April - GameSpace.com - February 19th, 2024
- Lincoln hosts Alice Cooper and Rob Zombie - Omaha - KETV Omaha - February 19th, 2024
- 'The Walking Dead - The Ones Who Live' Review AMC's Zombie Epic Shambles On - Collider - February 19th, 2024
- Legislative recap: zombie bills, teacher pay, lithium tax, pipelines and more - Black Hills Pioneer - February 19th, 2024
- Japan's stock markets are on a tear. Will 'zombie firms threaten the bull run? - CNBC - February 11th, 2024
- Thebe Phetogos haunted response to zombie figuration in art - The Washington Post - February 11th, 2024
- Cosmic dust from 'zombie' galaxies could form planets and life - The Telegraph - February 11th, 2024
- I walked with a zombie: 16 monster love interests that set hearts aflutter - The A.V. Club - February 11th, 2024
- Free Steam zombie shooter you've never heard of is getting rave reviews, somehow - GAMINGbible - February 11th, 2024
- South Korea's 'zombie football' finally leaves them in a hole too deep to climb out of - ESPN - February 11th, 2024
- Call of Duty: Modern Warfare 3's Zombie Mode is Getting Abandoned by Developer - FandomWire - February 11th, 2024
- Rob Zombie's House of 1000 Corpses Full Audio Being Released as Immersive Vinyl - ComicBook.com - February 11th, 2024
- Zombie 'apocalypse' caused by mind-altering fungi, like that in hit TV show The Last of Us, is possible MPs ar - Daily Mail - February 11th, 2024
- The dark horse of Steam Next Fest is this open-world zombie survival game that feels like an homage to the best game ... - Gamesradar - February 11th, 2024
- COVID-19 Zombie Viral Fragments Could Help Explain Why Some Infections Are More Severe | Weather.com - The Weather Channel - February 11th, 2024
- Gotham City becomes a Joker-infected zombie nightmare in new Batman #143 preview - Dexerto - February 11th, 2024
- Boy, 16, stabbed to death with zombie knife at birthday party, court hears - The Independent - February 11th, 2024
- ROB ZOMBIE And ALICE COOPER Announce Summer 2024 'Freaks On Parade' Tour With MINISTRY And FILTER - BLABBERMOUTH.NET - February 3rd, 2024
- Rob Zombie, Alice Cooper are bringing their 'Freaks on Parade Tour' to Indy this summer - IndyStar - February 3rd, 2024
- Alice Cooper And Rob Zombie Touring Again This Summer - Vermilion County First - February 3rd, 2024
- Rob Zombie and Alice Cooper's 'Freak' show coming Aug. 25 to the X in St. Paul - Star Tribune - February 3rd, 2024
- Rob Zombie and Alice Cooper get their freak on with tour stop in Houston - CultureMap Houston - February 3rd, 2024
- 'True Detective: Night Country' and the 'Zombie Virus' Theory - Pajiba Entertainment News - February 3rd, 2024
- Alice Cooper and Rob Zombie to team up at Star Lake; Heart to headline PPG Paints Arena - The Times - February 3rd, 2024
- Double bills of Rob Zombie and Alice Cooper, Train and REO Speedwagon coming this summer - St. Paul Pioneer Press - February 3rd, 2024
- Rob Zombie and Alice Cooper's Freaks On Parade 2024 tour: Presale code, tickets, dates, venues, & all you need to ... - Sportskeeda - February 3rd, 2024
- Rob Zombie and Alice Cooper added to Walmart AMP lineup - Fayetteville Flyer - February 3rd, 2024
- ROB ZOMBIE and ALICE COOPER continue "The Freaks On Parade" tour in 2024 - Lambgoat - February 3rd, 2024
- Rob Zombie, Alice Cooper to Continue Their 'Freaks on Parade' Tour with Filter and Ministry - MetalSucks - February 3rd, 2024
- 'Handling the Undead' Review: This Emotional Zombie Horror Movie Isn't as Unique as It Thinks | Sundance 2024 - Collider - February 3rd, 2024
- Sundance Review: Handling The Undead Deconstructs the Zombie Genre with Painful Dread - The Film Stage - February 3rd, 2024
- How many 'zombie' stores will be left in the Philly area after Rite Aid's bankruptcy? - The Philadelphia Tribune - February 3rd, 2024
- Rob Zombie, Alice Cooper announce 'Freaks on Parade' 2024 tour dates with Ministry and Filter - Brooklyn Vegan - February 3rd, 2024
- Rob Zombie, Alice Cooper coming to Milwaukee on Aug. 27, 2024 - FOX 6 Milwaukee - February 3rd, 2024
- Alice Cooper And Rob Zombie Announce 2024 Tour: See The Dates - iHeartRadio - February 3rd, 2024
- Rob Zombie and Alice Cooper to stop at Walmart AMP - KNWA - February 3rd, 2024
- Rob Zombie and Alice Cooper coming to Blossom - WJW FOX 8 News Cleveland - February 3rd, 2024
- Rob Zombie and Alice Cooper Reveal Joint U.S. Tour Dates Here's How To Get Presale Code Tickets - Grimy Goods - February 3rd, 2024
- Canada's 'zombie fires' continue to burn even under thick layers of snow - National Post - February 3rd, 2024
- Alice Cooper and Rob Zombie bringing Freaks on Parade to Coopers home state - MLive.com - February 3rd, 2024
- Rob Zombie and Alice Cooper get their freak on with tour stop in Austin - CultureMap Austin - February 3rd, 2024
- This Is The Only New York Show for Cooper and Zombie In 2024 - Q105.7 - February 3rd, 2024
- Rob Zombie and Alice Cooper Reconvene for Freaks On Parade Tour - Knotfest - February 3rd, 2024
- Rob Zombie and Alice Cooper To Hit The Road Together Again - WRIF - February 3rd, 2024
- Handling The Undead Review: Sadness Is The Infection In Slow-Burn Zombie Drama - Screen Rant - February 3rd, 2024
- Zombie apocalypse or environmental saviours? SITC holds one-off session on the incredible world of fungi ... - Committees - February 3rd, 2024
- Freaks on Parade Tour with Rob Zombie, Alice Cooper, Ministry and Filter coming to Star Lake - Pittsburgh Post-Gazette - February 3rd, 2024
- Scientists warn melting permafrost could unleash ancient 'zombie viruses' - The Independent - January 26th, 2024
- 'Zombie knives' to be banned in England and Wales from September - Reuters UK - January 26th, 2024
- Zombie-style knives: What are they and what are the new rules around them? - The Independent - January 26th, 2024
- Vermin Supreme runs on gingivitis and zombie power - GBH News - January 26th, 2024
- One of the Greatest Zombie Horror Movies of All Time Just Hit Netflix - Collider - January 26th, 2024
- UK's Struggle to Ban 'Zombie' Knives Shows Why Sunak's in Trouble - Yahoo News - January 26th, 2024
- Mother whose son was stabbed to death slams new Government zombie knives crackdown - The Independent - January 26th, 2024
- 'Your Role in the Zombie Apocalypse' by C.K. McDonnell - SciFiNow - January 26th, 2024
- 'They've announced this 16 times!' Labour MP blasts Government over zombie knife ban - Ocean City Today - January 26th, 2024
- The 1965 IH Travelall 'Zombie Slayer' I Sold Is for Sale Again, and I Don't Miss It - The Drive - January 26th, 2024
- Invasion of the Zombie Ants - Tinkercast - January 26th, 2024
- Are zombie knives illegal? How loopholes have thwarted 2016 ban - MSN - January 26th, 2024
- 'Zombie' virus threat: Scientists warn of terrifying new pandemic - Deccan Herald - January 26th, 2024
- Ancient zombie viruses trapped in Arctic ice could unleash deadly new pandemic: 'Tangible threat' - New York Post - January 26th, 2024
Reviewed and Recommended by Erik Baquero