skout-blog

Cybersecurity Threat Advisory 0038-22: Apple Safari Arbitrary Code Execution Vulnerability

ADVISORY OVERVIEW

Apple has had an existing arbitrary code execution vulnerability in their MacOS, iOS, iPadOS, and Safari in their past 3 zero-days known as CVE-2022-22620. Google and Barracuda MSP researchers are making sure users don’t forget this. The vulnerability could allow a threat actor to utilize the software to execute arbitrary code and gain full control of the devices. Barracuda MSP recommends staying up to date with all critical patches that Apple provides.

Technical Detail & Additional Information

WHAT IS THE THREAT?

An arbitrary code execution vulnerability existed in the 2013 and 2016 versions of MacOS and were finally patched in in February 2022 for those still running iOS 15.3.1 and iPadOS 15.3.1, macOS Monterey 12.2.1, and Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8) for macOS Big Sur and Catalina. An attacker who successfully executes this arbitrary code can gain control on all of Apple’s devices: iPhones, iPads, and Macs. This arbitrary code execution vulnerability exists due to a use-after-free memory corruption bug in the WebKit rendering engine, which powers Apple’s web browser Safari. This vulnerability has been categorized as a zero-day indicating that it was an unknown flaw however it has been revamped in 3 new critical ways.

WHY IS IT NOTEWORTHY?

This vulnerability was actively in the wild for 5 years before a patch was deployed and approximately one billion people are using more than 1.4 billion Apple devices. With a window and potential impact like that, it’s now more than evident that IT security and users must be observant of any unauthorized changes that occur in their network. An arbitrary code execution (ACE) stems from a flaw in software or hardware. A hacker then spots that problem, which leads to them using it for executing commands on a target device. Apple has been impacted by similar zero-day vulnerabilities dating back to 2013. When news of multiple zero-days such as this breaks publicly, attackers begin to gain confidence that the flaw can be exploited again. They are likely to accelerate attacks on targets where possible, while that window remains open.

WHAT IS THE EXPOSURE OR RISK?

When exploited, this vulnerability allows an attacker to have complete and unrestricted access to the devices running on Apples MacOS. If an attacker can run arbitrary code, they can easily install programs, exfiltrate, view, change, delete data, or create new accounts in the context allowed by the user’s rights. These privileges give the attacker the tools to conduct a ransomware event, impersonation, and obtain credential information that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends the following actions to limit the impact of an arbitrary code execution attack:

  • Be observant of any new potential unauthorized activity.
  • Keep all applications updated to enforce new security measures
  • Continue to stay up to date with our threat advisories for updates.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Threat Advisory Sign Up