Apple recently issued a security patch for a WebKit vulnerability (CVE-2022-42856) found in iOS/iPadOS that generated media attention.
The TL;DR
- Visiting a maliciously crafted website could trigger the bug in versions older than 16.3, 15.7.3, or 12.5.7 depending on the device model
- The bug could lead to arbitrary code execution
- Apple acknowledged in these release notes that the bug may have been “actively exploited”
- The bug was originally patched in version 15.7.2 on December 13th, 2022.
- And finally, the patch was backported to older devices in version 12.5.7 on January 23rd, 2023 (note 12.5.6 was the only 2022 release due to a similar security patch)
- If successfully exploited, the attacker could control the code execution within the context of WebKit, which would give them limited ability to read/write files and communicate with the attacker. But they will still need to exploit further vulnerabilities to gain full access to the device.
Research led by Nir Avraham and Yuan Shen.
In order to better understand the nature of this vulnerability and the steps taken to fix it, we took a deeper look at the release and found the patched code.
The security content of iOS 12.5.7 reveals that CVE-2022-42856 is the only security issue that was patched. Our initial analysis was conducted by performing a binary comparison between iOS 12.5.7 and 12.5.6 with a focus on the JSC (JavaScriptCore). As the built-in JavaScript Engine for WebKit, JSC is often targeted due to its complexity and the control that web-hosted JavaScript can exert over the local execution environment when compromised. However, an initial bindiff of the two versions indicated that there were no changes regarding JSC.
With not much help from bindiff we turned our analysis to the WebKit Bugzilla tracking number found in the advisory, "WebKit Bugzilla 248266," seen in this screenshot from February 1, 2023:
After digging into the WebKit repository in GitHub, we found a patch that matches the tracking number with following patch note, seen in this partial WebKit commit message:
The actual patch is as shown in this screenshot of GitHub diff:
The first thing we notice is that the patch doesn’t change any code structure, only “replacing the ~SpecFullDouble
with ~SpecDoubleReal
” in the call to isNotInt32
. This means that the patch doesn’t affect generated instructions and code flow, and explains why our original bindiff failed to identify this patch in JSC.
With the above information, the following change is found in the compiled function for LowerDFGToB3::speculate
which confirms the patch from the source code. The first image contains code from 12.5.6, while the second is the patched version in 12.5.7.
The vulnerability leads to a type confusion issue within the FTL JIT (Faster Than Light Just In Time) compiler, which may ultimately lead to remote code execution within the context of WebKit while executing malicious javascript. Please note the attackers still need other OS vulnerabilities to achieve full remote device control after the WebKit exploit succeeds.
Recommendations
We highly recommend that users upgrade their current software to the newest version available in order to prevent potential security breaches.
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.