CVE-2020-9947 – CVE-2020-9947 is a use-after-free vulnerability... (How to Fix)

Q: What is the severity of CVE-2020-9947?

CVE-2020-9947 has a CVSS score of 8.8 (HIGH). CVE-2020-9947 is a use-after-free vulnerability in Apple's WebKit browser engine that allows arbitrary code execution when processing malicious web content. Attackers can exploit this by tricking users into visiting specially crafted websites, potentially taking full control of affected devices. This affects multiple Apple products including iPhones, iPads, Apple Watches, Apple TVs, and Safari/iTunes/iCloud on Windows.

📋 TL;DR

CVE-2020-9947 is a use-after-free vulnerability in Apple's WebKit browser engine that allows arbitrary code execution when processing malicious web content. Attackers can exploit this by tricking users into visiting specially crafted websites, potentially taking full control of affected devices. This affects multiple Apple products including iPhones, iPads, Apple Watches, Apple TVs, and Safari/iTunes/iCloud on Windows.

💻 Affected Systems

Products:

iOS
iPadOS
watchOS
tvOS
Safari
iTunes for Windows
iCloud for Windows

Versions: Versions prior to iOS 14.0, iPadOS 14.0, watchOS 7.0, tvOS 14.0, Safari 14.0, iTunes 12.10.9, iCloud 11.5

Operating Systems: iOS, iPadOS, watchOS, tvOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Apple products are vulnerable. The vulnerability is in WebKit, which powers Safari and other Apple web-rendering components.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the device, allowing data theft, surveillance, ransomware deployment, or persistence establishment.

🟠

Likely Case

Drive-by browser exploitation leading to malware installation, credential theft, or unauthorized access to device resources and data.

🟢

If Mitigated

Limited impact with proper patch management and security controls; exploitation attempts would be blocked by updated software.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. The CVSS score of 8.8 indicates high exploitability with significant impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 14.0+, iPadOS 14.0+, watchOS 7.0+, tvOS 14.0+, Safari 14.0+, iTunes 12.10.9+, iCloud 11.5+

Vendor Advisory: https://support.apple.com/en-us/HT211843

Restart Required: Yes

Instructions:

1. Update iOS/iPadOS to 14.0 or later via Settings > General > Software Update. 2. Update watchOS to 7.0 or later via Watch app on iPhone. 3. Update tvOS to 14.0 or later via Settings > System > Software Updates. 4. Update Safari via macOS Software Update. 5. Update iTunes/iCloud for Windows via Apple Software Update or Microsoft Store.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript in Safari to prevent exploitation through web content

Safari > Preferences > Security > uncheck 'Enable JavaScript'

Use Alternative Browser

all

Use non-WebKit based browsers (Chrome, Firefox) until patches are applied

🧯 If You Can't Patch

Restrict web browsing to trusted sites only using content filtering or web proxies
Implement network segmentation to isolate vulnerable devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check current version against affected versions: iOS <14.0, iPadOS <14.0, watchOS <7.0, tvOS <14.0, Safari <14.0, iTunes <12.10.9, iCloud <11.5

Check Version:

iOS/iPadOS: Settings > General > About > Version; macOS: Safari > About Safari; Windows: iTunes/iCloud > Help > About

Verify Fix Applied:

Confirm version numbers match or exceed patched versions listed in fix_official section

📡 Detection & Monitoring

Log Indicators:

Safari/WebKit crash logs with memory access violations
Unexpected process creation from browser processes
Web content loading from suspicious domains

Network Indicators:

HTTP requests to known exploit domains
Unusual outbound connections from browser processes
Traffic patterns matching drive-by download campaigns

SIEM Query:

source="*safari*" OR source="*webkit*" AND (event_type="crash" OR event_type="process_creation") AND severity>=high

📊 Metadata

CVE ID: CVE-2020-9947

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 8, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/03/22/1 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202104-03 Third Party Advisory
https://support.apple.com/en-us/HT211843 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211844 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211845 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211850 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211935 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211952 Release Notes,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/03/22/1 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202104-03 Third Party Advisory
https://support.apple.com/en-us/HT211843 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211844 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211845 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211850 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211935 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT211952 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9947, you might also want to check these: