One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221929 |
| Date de publication | 2022-06-14 09:00:24 (vue: 2022-11-25 18:05:33) |
| Titre | An Autopsy on a Zombie In-the-Wild 0-day |
| Texte | Posted by Maddie Stone, Google Project Zero Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here. In the 2020 Year in Review of 0-days exploited in the wild, I wrote how 25% of all 0-days detected and disclosed as exploited in-the-wild in 2020 were variants of previously disclosed vulnerabilities. Almost halfway through 2022 and it seems like we’re seeing a similar trend. Attackers don’t need novel bugs to effectively exploit users with 0-days, but instead can use vulnerabilities closely related to previously disclosed ones. This blog focuses on just one example from this year because it’s a little bit different from other variants that we’ve discussed before. Most variants we’ve discussed previously exist due to incomplete patching. But in this case, the variant was completely patched when the vulnerability was initially reported in 2013. However, the variant was reintroduced 3 years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.Getting Started In the case of CVE-2022-22620 I had two pieces of information to help me figure out the vulnerability: the patch (thanks to Apple for sharing with me!) and the description from the security bulletin stating that the vulnerability is a use-after-free. The primary change in the patch was to change the type of the second argument (stateObject) to the function FrameLoader::loadInSameDocument from a raw pointer, SerializedScriptValue* to a reference-counted pointer, RefPtr. trunk/Source/WebCore/loader/FrameLoader.cpp |
| Envoyé | Oui |
| Condensat | #foo “clean “replace “use *stateobject 1000 : serializedscriptvalue::nullvalue => history event::canbubble::no event::iscancelable::no is it’s location returns to which while + 1094 1095 1096 122 1225 1325 1336 2009 2013 2013 that 2015 2016 2016 during 2020 2022 22600 22620 22620:the 900 ; // ; //goes = = document >statepopped about access according actually added additional additions after again all allows almost along already also analysis andas another answer any anything api appeared appears appendchild apple appreciated april are aren’t argument around asked assessment assigned assumed assumptions asynchronous attacker attackers auditing author autopsy back because become been before being believe best bit blame blame view blink blog blur event blurevent body bool both brainstorm browser bug bug back bughistoryitem::stateobject returns bugs bulletin stating but cached call callback callbacks called caller calls came can case cases cast caught cause causes challenges chance change changed changelog changelog: changes changing check checked chromium closely code codeql to comment commit commits completely concept conclusion const continued contributed core correctly could count counted cpp cpp#1158 cpp crash crashing createelement current cve day days dead december decided defenders definesetter definition deletions demonstrated deprecating description descriptions deserialization deserialize on deserialize through detail detailed details detected developer developers developers’ development did didn’t didopenurl difference different differently directoryhistoryitem::stateobject returns disclosed discussed dispatched dispatchevent dispatchwindowevent document does doesn’t doing dom directory don’t done down drop dropped due duplicated during each easy effectively efforts either element enable engine entry especially evaluating even event event::create eventnames ever every evolution example except exceptioncodewithmessage exceptions execution exist existed expectations explaining explanation exploit exploitation exploited exploiting exposes facing fact failure fast/history directory fast/history/history fast/history/replacestate february figure files final find fired fires fix fixed fixes… fixing focus focuscontroller::setfocusedelement focuscontroller::setfocusedframe focuses followed foo foo:1 forked the forward frame frameloader frameloader::loadinsamedocument frameloader::loadinsamedocument from frameloader::loadinsamedocument it frameloader::scrolltofragmentwithparentboundary frameview::scrolltofragment frameview::scrolltofragmentinternal free free’d from full fully function further generally get getter getting git glazunov goal good google got great had halfway handler hardening hash have help helpful here higher him history historyitem historyitem in historyitem::stateobject historyitem::stateobject’s historyitem:stateobject hoc hold hole hope how however html html and html were htmlfast/history/history htmlfast/history/link htmlfast/history/timed i’d i’m identify identifying impacting implementation implications included includes incomplete increase increasing information initial initially input inside instead intended interested interesting intrigued introduce introduced introducedframeloader::loadinsamedocument changed ios is: isnewnavigation issue issues it’s its january javascript job just killed kind knew know lack large last later least legacy length; level life lifetime like likely line little loadinsamedocument loadinsamedocument and loadinsamedocument by loadinsamedocument did loadinsamedocument didn’t loadinsamedocument function loadinsamedocument is loadinsamedocument passed loadinsamedocument still loadinsamedocument to loadinsamedocument&nbs |
| Tags | Tool Vulnerability Patching |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.