Apple Patches Actively Exploited WebKit Zero Day

Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices.

The zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.

In the case of Apple’s zero-day, threat actors can execute arbitrary code on affected devices after they process maliciously crafted web content, the company said in a description of the bug. The flaw also can lead to unexpected OS crashes.

“Apple is aware of a report that this issue may have been actively exploited,” the company wrote in its update notes.

The simplest way threat actors can exploit the flaw involves the system’s reuse of freed memory, according to the vulnerability’s description on the Common Weakness Enumeration website. “Referencing memory after it has been freed can cause a program to crash, use unexpected values or execute code,” according to the post.

Exploiting previously freed memory can have various adverse consequences, “ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw,” the description said.

Memory Error

These types of errors typically have two common and sometimes overlapping causes: error conditions and other exceptional circumstances, and confusion over which part of the program is responsible for freeing the memory, according to the post.

In the case of CVE-2022-22620, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation.

“As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process,” according to the post.

If the newly allocated data happens to hold a class – for example, in C++ code – various function pointers may be scattered within the heap data. “If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,” Apple’s post explained.

Numerous Devices Affected

Apple released separate security updates for its products to address the issue – macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1. Both updates improve how the OSes manage memory.

The flaw affects numerous Apple devices, including iPhone 6s and later; all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. It also affects desktops and notebooks running macOS Monterey.

The update is the second time this year that Apple has had to issue a patch for a zero day. Last month, the company also had to patch a memory issue – a zero-day flaw also affecting iOS, iPadOS and macOS Monterey tracked as CVE-2022-22587. Attackers could exploit the bug using a malicious app to execute arbitrary code with kernel privileges.

At the same time, the company patched another WebKit zero-day tracked as CVE-2022-22594. The information-disclosure issue affects browsers for macOS, iOS and iPadOS and allows a snooping website to find out information about other tabs a user might have open.

Last year Apple also patched several zero-day vulnerabilities, including a zero-click zero-day exploited by the NSO Group’s Pegasus spyware and a memory-corruption flaw in its iOS and macOS platforms that could allow for system takeover.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.