UPDATED 22:10 EDT / SEPTEMBER 17 2018

INFRA

Webpage design code embedded in websites can crash iOS and macOS devices

A security researcher has published a proof-of-concept attack that can crash an Apple Inc. iOS or macOS device using nothing more than 15 lines of code embedded in a webpage.

Published by Sabri Haddouche, a security researcher at Wire on GitHub, the Cascading Style Sheets or CSS code exploits a vulnerability in the WebKit rendering engine, Apple’s open-source web browser engine used by Safari, Mail, the App Store and other apps on both macOS and iOS.

On the technical side, the CSS code uses multiple nested elements inside an effect called a backdrop-filter used for color shifting behind the element. The process is an intensive task and as an app using WebKit attempts to process the CSS code, the rendering engine exhausts the system’s resources, forcing the device to reboot to recover.

The Register noted that on systems that don’t crash, the HTML renders a picture of a “triggered” Thomas the Tank Engine.

Though the code primarily targets WebKit-enabled apps, Apple-powered products are not alone in the affliction. Haddouche noted that the same code crashes tabs in Microsoft Corp.’s IE and Edge web browsers.

Tyler Reguly, manager of software development at Tripwire Inc., told SiliconANGLE that such denial-of-service attacks are not the type pursued by known threat groups.

“A nation state or serious threat is likely looking for code execution in order to gain access to a host and its network,” Reguly explained. “That doesn’t mean these types of denial-of-service attacks aren’t a concern. The ability to reboot/crash someone’s device is a nuisance and, depending on timing and the individual, could have real-world implications.”

Apple is reported to have been informed of the vulnerability and is looking into it.

Photo: Pexels

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU