CVE-2022-32923 - Understanding the JIT Correctness Issue in WebKit — How It Was Fixed and Why It Mattered

Apple devices are known for their security, but even they aren’t immune to subtle and severe bugs. One such bug was found in WebKit’s Just-In-Time (JIT) compiler, tracked as CVE-2022-32923. In this exclusive, plain-language breakdown, we’ll see exactly what went wrong, how it was fixed, and why this bug was so important to squash.

What is CVE-2022-32923?

CVE-2022-32923 is a vulnerability in Apple’s WebKit engine — that’s the bit of code rendering webpages in Safari and many other Apple apps. The flaw hit JIT (Just-In-Time Compilation), which is used to make JavaScript run really fast. But, with speed comes risk.

The problem? An incorrect check in the JIT process could leave a door open for attackers. By serving up *malicious web content*, an attacker could see things inside the app that should have stayed secret. That’s a big deal: JIT bugs are a favorite target for hackers because they sometimes let you break out of the normal safety rules.

iOS 16.1 and iPadOS 16.1

Reference: Apple Security Updates - HT213489

How Did the Attack Work?

The root cause was a *correctness flaw* — the JIT didn’t always check things as carefully as it should. This could let a specially-crafted web page (JavaScript) *read* or *guess* something about the app’s internal state, maybe even sensitive data in memory.

Exploit Scenario (Demo Code)

Suppose there’s an incorrect bounds check in a JITed function. A malicious page could run weird JavaScript to trick the JIT into reading data next to an array.

// This is not the actual exploit, but a demo of how attackers approach such bugs
function confuseJIT(arr, value) {
    for(let i=; i < 10000; i++) {
        // Train the JIT to assume arr.length is always 100
        arr[] = 42;
    }
    // "value" controls an out-of-bounds index in the array
    return arr[value];
}

let normalArr = new Array(100).fill();
// The attacker carefully picks 'value' to go out-of-bounds if a bug is present
let result = confuseJIT(normalArr, 150); // Could leak internal memory!
console.log("Leaked value:", result);

With the right bug, result could show private memory — maybe passwords, keys, or other data.

Why Is JIT So Tricky?

JIT compilers *guess* about code they run, trying to make fast shortcuts. If an attacker can confuse those guesses, sometimes memory safety goes out the window.

WebKit’s JIT is big and complex, and tiny mistakes can have big consequences.

According to Apple

> A correctness issue in the JIT was addressed with improved checks.

That means they tightened up the rules, making the JIT *prove* it’s safe before letting the magic happen. More specifically, they made sure the JIT doesn’t make dangerous assumptions about how JavaScript code will behave with arrays and object properties.

Safari 16.1 or later

- iOS/iPadOS 15.7.1 or 16.1 or later

matching current releases for tvOS and watchOS

Go to *Settings > General > Software Update* on your device, or to the App Store for Safari updates.

Additional Resources

- Apple's CVE-2022-32923 advisory
- NVD Entry for CVE-2022-32923
- Project Zero: Attacking JIT compilers (background on JIT exploit development)
- WebKit Bug Tracker


*Summary: CVE-2022-32923 is a WebKit JIT bug that could leak internal app states by processing a malicious web page. Apple fixed it fast — your job is to stay updated!*

> Tip: Are your devices up-to-date? If not, you could be one bad website away from a bad day. Update now!

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 01/09/2023 16:44:00 UTC