UPDATED 22:10 EDT / SEPTEMBER 17 2018

INFRA

Webpage design code embedded in websites can crash iOS and macOS devices

A security researcher has published a proof-of-concept attack that can crash an Apple Inc. iOS or macOS device using nothing more than 15 lines of code embedded in a webpage.

Published by Sabri Haddouche, a security researcher at Wire on GitHub, the Cascading Style Sheets or CSS code exploits a vulnerability in the WebKit rendering engine, Apple’s open-source web browser engine used by Safari, Mail, the App Store and other apps on both macOS and iOS.

On the technical side, the CSS code uses multiple nested elements inside an effect called a backdrop-filter used for color shifting behind the element. The process is an intensive task and as an app using WebKit attempts to process the CSS code, the rendering engine exhausts the system’s resources, forcing the device to reboot to recover.

The Register noted that on systems that don’t crash, the HTML renders a picture of a “triggered” Thomas the Tank Engine.

Though the code primarily targets WebKit-enabled apps, Apple-powered products are not alone in the affliction. Haddouche noted that the same code crashes tabs in Microsoft Corp.’s IE and Edge web browsers.

Tyler Reguly, manager of software development at Tripwire Inc., told SiliconANGLE that such denial-of-service attacks are not the type pursued by known threat groups.

“A nation state or serious threat is likely looking for code execution in order to gain access to a host and its network,” Reguly explained. “That doesn’t mean these types of denial-of-service attacks aren’t a concern. The ability to reboot/crash someone’s device is a nuisance and, depending on timing and the individual, could have real-world implications.”

Apple is reported to have been informed of the vulnerability and is looking into it.

Photo: Pexels

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.