- Visiting a maliciously crafted website could trigger the bug in versions older than 16.3, 15.7.3, or 12.5.7 depending on the device model
- The bug could lead to arbitrary code execution
- Apple acknowledged in these release notes that the bug may have been “actively exploited”
- The bug was originally patched in version 15.7.2 on December 13th, 2022.
- And finally, the patch was backported to older devices in version 12.5.7 on January 23rd, 2023 (note 12.5.6 was the only 2022 release due to a similar security patch)
- If successfully exploited, the attacker could control the code execution within the context of WebKit, which would give them limited ability to read/write files and communicate with the attacker. But they will still need to exploit further vulnerabilities to gain full access to the device.
Research led by Nir Avraham and Yuan Shen.
In order to better understand the nature of this vulnerability and the steps taken to fix it, we took a deeper look at the release and found the patched code.
With not much help from bindiff we turned our analysis to the WebKit Bugzilla tracking number found in the advisory, "WebKit Bugzilla 248266," seen in this screenshot from February 1, 2023:
After digging into the WebKit repository in GitHub, we found a patch that matches the tracking number with following patch note, seen in this partial WebKit commit message:
The actual patch is as shown in this screenshot of GitHub diff:
The first thing we notice is that the patch doesn’t change any code structure, only “replacing the
~SpecDoubleReal” in the call to
isNotInt32. This means that the patch doesn’t affect generated instructions and code flow, and explains why our original bindiff failed to identify this patch in JSC.
With the above information, the following change is found in the compiled function for
LowerDFGToB3::speculate which confirms the patch from the source code. The first image contains code from 12.5.6, while the second is the patched version in 12.5.7.
We highly recommend that users upgrade their current software to the newest version available in order to prevent potential security breaches.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.