Apple is again, after about a month, facing a zero-day vulnerability impacting its devices and having to release a new security patch . Also this time it is WebKit that is attacked by using the web contents created ad hoc by the attackers . WebKit is the rendering engine used by Safari, Mail, App Store and many other macOS, iOS and Linux applications. In this case the attackers are able to execute arbitrary code that could allow the exfiltration of personal data even generate sudden shutdowns of the operating system.
Apple's zero-day vulnerability and iOS patch
The company has issued a press release in these hours where it declares itself aware of the presence of this vulnerability . The zero-day code is CVE-2022-22620 and is currently classified as confidential in the MITER database. However, from what emerged from the news circulating on the net, it should be a Use-After-Free type that concerns the use of dynamic memory.
Dynamic memory, in modern operating systems, allows you to allocate and free up space at runtime. However, it happens in cases where the memory is not managed correctly that the pointers used to refer to portions of memory become pending. In this case, that is, they are able to point to an area that is now vacated and which should no longer be valid.
Going into more detail, a running program has a certain dynamic memory area allocated and, for some reason, that area is then freed. However, instead of canceling the pointer (for example by overwriting NULL), it will continue to point to the freed memory area becoming a so-called dangling pointer. In the event that the freed memory portion is re-referenced (considering the possibility of further overwriting in the meantime), one could run into unexpected program behavior.
The impact on users and the attack scenario
Hackers exploiting the Use-After-Free vulnerability can potentially be able to pass arbitrary code to the program and have it run through the use of hanging pointers . The reason is typically to be found in errors in conditional statements or in the routines responsible for freeing up memory.
The impacted devices are several, starting from iPhones to notebooks running macOS Monterey. In particular, the operating systems identified are macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1 which have all received a security update. In fact, as anticipated in the title, Apple immediately ran for cover, releasing a patch that modifies the way operating systems manage dynamic memory.
Unfortunately, Apple is increasingly the victim of this type of attack, highlighting the management of its operating systems that is not always perfect. In 2022 alone, the company has already remedied two other vulnerabilities , one related to memory usage and another related to WebKit. Considering, however, that it would be enough to visit a malicious website to be affected by this latest zero-day vulnerability, our advice is to update the operating system to the latest version as soon as possible. In this way you will be sure that you are protected and that all measures have been taken to prevent potential security risks.
The article New zero-day for iOS and Apple remedies with a patch comes from Tech CuE | Close-up Engineering .