Summary: A five-year-old vulnerability has been discovered in Apple’s Safari, reports Hacker News. This vulnerability was first discovered and fixed in 2013, but became a problem again in December 2016. The vulnerability that Google raised was CVE-2022-22620, which received a score of 8.8 based on CVSS, and is said to be a UaF vulnerability that appears in the WebKit element. A successful exploit could allow an attacker to remotely execute arbitrary code. It is already under zero-day attack by hackers.
Background: This vulnerability was already fully patched in 2013. However, it came back to life during a massive refactoring in 2016. It is said that the security industry has been missing out on that fact, and only hackers have known about it. For this reason, it was repeatedly disclosed and patched again in January 2022 under the name of the zero-day vulnerability.
Words: “It is quite often that past vulnerabilities are revived during large-scale modifications, redevelopment, or refactoring. In 2016, Apple did this in October and December, when it changed 135 files, modified 2236 files, and deleted 2550 files. It was a huge amount.” -Google Project Zero-
