This is the third time that Apple Safari is patching the same vulnerability that was originally discovered in 2013, then reappeared in 2016 after a code update, and has now been discovered and fixed again, according to a Google Project Zero report.
You might also be interested in reading about how the Unsuccessful Google experiment “broke” Chrome in companies around the world.
The issue in question is tracked as CVE-2022-22620 (CVSS 8.8) and is a use-after-free bug in the WebKit component. The vulnerability could be used to execute arbitrary code, and in early February 2022, Apple released patches for this issue in Safari, iOS, iPadOS, and macOS, warning that the vulnerability may already be under attack.
Last year, Stone already wrote that a quarter of all zero-day vulnerabilities noticed by Google Project Zero in 2020 were closely related to old vulnerabilities that were publicly disclosed. As a rule, this happens due to incomplete bug fixes.
However, the situation with Safari is slightly different. In this case, Apple completely fixed the problem in 2013, but the patch was “damaged” in 2016, after restructuring the code.
The expert said that the original 2013 issue and a related bug discovered this year are related to the History API and could be exploited using specially crafted web content to remotely execute arbitrary code.
According to Stone, code refactoring is one of the main problems that developers face. The fact is that developers and security teams need time to test fixes, especially those that are security related.