CVE-2022-22624 - A Deep Dive into the macOS, iOS, and Safari Use-After-Free Vulnerability

In early 2022, Apple issued patches for a critical WebKit vulnerability tracked as CVE-2022-22624. This flaw impacted multiple Apple platforms and had the potential for arbitrary code execution — in simple terms, someone could run any code they wanted on your device if you visited a malicious web page. Let’s break down what happened, show you how the exploit worked, and explain why keeping your Apple devices updated is so important.

What is CVE-2022-22624?

CVE-2022-22624 is a _use-after-free_ vulnerability found in WebKit, the browser engine behind Safari and many iOS/macOS apps that display web content. In technical terms, _use-after-free_ means a part of the program tried to use memory after it was already released (“freed”). Attackers can exploit these situations to run their own code, hijack a session, or crash the program.

Safari 15.4

If you’re not on these versions or later, your device is at risk.

- Original security advisory by Apple
- NVD entry for CVE-2022-22624

How Did the Vulnerability Work?

WebKit is very complex, and a bug in how it managed references to certain web content let attackers trick the engine into freeing an object but then still using it. This is dangerous because attackers could control what was in that piece of memory — potentially putting their own code there — and then making WebKit run it.

Apple’s brief description

> “A use after free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution.”

Let’s look at a basic code snippet to explain this type of bug (a simplified example).

// Pseudocode for Use-After-Free
Object* obj = new Object();
// ... some operations ...
delete obj; // object is freed

// Oops! We are still using obj here
obj->doSomething(); // This is unsafe - use after free!

If the attacker can influence what replaces the freed memory, they can control doSomething() and redirect execution.

Let’s walk through how attackers could use CVE-2022-22624

1. Craft a Malicious Webpage: The attacker creates web content that triggers the use-after-free in WebKit.
2. You Visit the Website: On an unpatched iPhone/iPad/Mac/Safari, the page exploits the bug, freeing a chunk of memory but later reusing it.
3. Memory is Controlled: The attacker’s script fills that freed memory with data pointing to their own code as a payload.
4. Remote Code Execution: When WebKit uses the freed pointer, it jumps to the attacker’s code. This can take over the device, steal data, or install malware.
 
In the wild, these bugs are often used as part of sophisticated malware, phishing sites, or spyware campaigns.

Proof-of-Concept (PoC)

While the original, in-the-wild exploit code for CVE-2022-22624 is not public, here’s a minimal _conceptual_ JavaScript PoC showing the idea. This isn’t functional code, but shows the basic logic.

// WARNING: Do NOT run untrusted code
let victim = window.document.createElement("iframe");
document.body.appendChild(victim);

// Some event frees the victim object
document.body.removeChild(victim); // presumably, bug in garbage collection

// Now, "victim" may still be referenced
// Attacker fills freed memory by allocating many new objects
for (let i = ; i < 10000; i++) {
  let fake = document.createElement("div");
  // try to occupy freed space
}

// WebKit follows a stale pointer and does something unintended
// Under the hood, this could eventually execute attacker code

A real exploit would be more complex — manipulating “heap spraying”, crafting fake objects, and using assembly code to run a payload.

How Did Apple Fix It?

Apple improved the memory management in WebKit. This means they made sure that, after freeing an object, all references to it are cleared, and the code checks whether pointers are still valid before using them.

What Should You Do?

- Update Your Devices: If you’re not already running Monterey 12.3, iOS/iPadOS 15.4, tvOS 15.4, or Safari 15.4 or higher, update right now.
- Be Vigilant With Web Content: Be cautious of links from unknown sources, especially on outdated Apple devices.

More Resources

- Apple Security Update for iOS 15.4
- Apple Security Update for macOS 12.3
- CVE Details

Final Thoughts

CVE-2022-22624 is a sobering reminder that even the most secure systems have flaws. Attackers are always hunting for fresh bugs, so staying up to date is essential. The good news? Apple’s quick fix means that as long as you update, you’re protected from this kind of web-based attack.

Stay safe online, and always keep your devices patched!

Timeline

Published on: 09/23/2022 19:15:00 UTC
Last modified on: 09/28/2022 12:03:00 UTC