A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.
This new attack was discovered by Sabri Haddouche, a security researcher at Wire, who was able to devise a way to quickly use up an Apple device's resources so that it crashes when visiting a web page.
"The attack uses a weakness in the -webkit-backdrop-filter CSS property," Haddouche told BleepingComputer. "By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart."
This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.
"All browsers on iOS are affected because the underlying rendering engine is WebKit," Haddouche explained. "As per App Store rules, it is forbidden to bring your own rendering engine."
Depending on the version of iOS being used, it could cause a respring, which is a UI restart, or a kernel panic that causes the device to reboot. For example, Haddouche performed his tests on a iOS 12 and the device completely rebooted, but on iOS 11.4.1, it only caused a respring.
For macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.
Haddouche has told BleepingComputer that he has created an additional attack using HTML, CSS, and JavaScript that will totally freeze macOS computers. He has not released it as it persists after reboot and macOS will relaunch Safari with the malicious page as well, making the computer freeze again.
Attack works by simply by visiting a web page
When a user visits a page hosting this specially crafted CSS & HTML, depending on the iOS version, the device will quickly use up all available resources. On iOS this will cause either a kernel panic and a reboot or a restarting of the iOS SpringBoard.
For Mac users, this will cause your computer to freeze briefly and slow down, but you can close the Safari tab to stop the attack.
To illustrate this attack, I created a video showing what happens when you visit Haddouche's attack page on Github with an iPhone running iOS 11.4.1. As you can see, once I visited the page the iOS SpringBoard quickly crashed and restarted.
Unfortunately, at this time there is no way to mitigate against this type of attack. Haddouche has told BleepingComputer that other than "not clicking on random links, Apple will have to deploy a fix."
For those who want to see the CSS & HTML that causes this attack, the researcher has posted it on his GitHub page. Just be careful when clicking on the rawgit.com link as it will quickly crash your iOS or cause problems on your Mac.
9/15/18: Article updated to reflect that it does not brick Mac computers, but causes the Safari session to automatically start and freeze the Mac again.
Comments
Dominique1 - 5 years ago
This is not an attack, imo. It is a bug, like so many others. However, I admit that it could be exploited by criminals so it's important to fix it fast.
the_moss_666 - 5 years ago
Every attack goes through some bug or user's negligence. This bug affects iOS, macOS and can be triggered without user's "help". Both are valuable targets, they'd better fix it soon.