CVE-2022-42827 – A type confusion issue was addressed with improved checks (29th Mar 2023).

Preface: WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.

Background: There is no Webkit. framework in Cocoa Touch. The webkit framework is only available on OS X. For iOS, just use UIWebview.
The Core OS Layer is the last layer of the iOS stack and sits directly on top of the device hardware. This layer provides a variety of services including low level networking, access to external accessories and the usual fundamental operating system services such as memory management, file system handling and threads.

Vulnerability details: A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

My observation: Since the vulnerability not described in details! My speculation, does vendor found attacker exploit below design weakness (see belwo):
%rbx is a callee save register , we know that some callee of JITCode::execute() must have modified %rbx and failed to restore it before returning. JSC does have code to save and restore callee save registers in LLInt interpreter and Just-In-Time (JIT) compiler generated code.
Perhaps the vulnerability enhancement is going to correctly caller-save return address register.

Official announcement: For details, please refer to the link

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.