CVE-2022-22620 in Safari (with a score of 8.8 on the CVSS scale) is a Use–After-Free vulnerability in the WebKit component, which can be used with specially created web content to execute arbitrary code. In early February 2022, Apple released fixes for this vulnerability in Safari, iOS, iPadOS and macOS, recognizing that it could be actively used in the wild.
“This version of the vulnerability was fully patched when it was first reported in 2013.,” said Maddy Stone of Google Project Zero. “However, three years later, during large-scale refactoring work, the vulnerability reappeared. It then continued to exist for 5 years until it was eliminated as 0-day in January 2022.”
Although the vulnerabilities of the History API in 2013 and 2022 are the same, they appeared for completely different reasons. Experts compared the vulnerability to zombies, because code changes made years later “revived” CVE-2022-22620.
Stating that the incident is not unique to Safari, Stone stressed that specialists need to spend enough time checking the code and patches to avoid cases of duplicate fixes and understand how the changes made affect security.
Earlier it was reported about another 0-day in Safari. With its help, “Russian hackers” attacked LinkedIn users.