theregister.com Article: How refactoring code in Safari’s WebKit resurrected ‘zombie’ security bug
A security flaw in Apple’s Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a “zombie” vulnerability.
Tuesday, June 14, 2022
An Autopsy on a Zombie In-the-Wild 0-day
Posted by Maddie Stone, Google Project Zero
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.