How refactoring code in Safari's WebKit resurrected 'zombie' security bug

2022-06-21 08:31

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago - a perfect example of a "Zombie" vulnerability.

That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices - or a bug closely related to a patched one.

The vulnerability in 2013 was a use-after-free() flaw in the History API code in the open-source WebKit engine of Safari.

The refactoring done in December 2016 revived the vulnerability.

"Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," Stone wrote last year, adding that in 2020, "[One] out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored.

John Bambenek, principal researcher with cybersecurity vendor Netenrich, told The Register that zombie 0-days typically result from incomplete patching.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/21/apple-safari-zombie-exploit/

#safari #security

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Webkit		2	0	1	6	0	7