New web attack can crash your iOS device and freeze up your Mac

01. October 2018 Security 0

This was written two weeks ago but was never published. Publishing now for record sake 🙂

This weekend a security researcher revealed a new attack that can crash your iOS device and even freeze up your Mac. All you have to do is be unlucky enough to visit a website that has a special blend of CSS and HTML code implemented.

Exploiting a flaw in WebKit, this code will affect all iOS devices as WebKit is the web engine Apple forces users to use. This was tested on iOS 11 and the currently still in Beta iOS 12 and was found to have the same undesired effects. Since WebKit is used by any app that renders HTML on an iOS device this will not only affect Safari. Loading the code in Facebook, Twitter, Mail and other apps that can display HTML will result in a crash of the device. Some iOS versions will not restart the device completely but respring, or relaunch the user interface.

On a Mac loading this code will result in the application such as Safari or Mail freezing and slowing down the rest of the system. Closing the affected application should return the system back to normal performance though.

It is said this issue does not affect Windows and Linux users, however several of those users have reported crashes as well as can be seen in comments on Sabri Haddouche’s twitter post.

BleepingComputer recorded a video of the code in action on an iOS device.

There is currently no mitigation for this attack other than not clicking random links unless they come from a trusted source. The good news is that even though an exploit like this is very annoying if it manages to affect you, it can not be leveraged to load malicious code.

Haddouche also created an additional attack using HTML, CSS, and JavaScript that will totally freeze macOS computers, he told BleepingComputer. He has not released it as it persists after reboot and macOS will relaunch Safari with the malicious page as well, making the computer freeze again.

Apple has been informed by Haddouche so we can likely expect a fix in the next iOS update to mitigate this attack and hopefully others like it. As the pre-ordered iPhone Xs and Xs Max are already being shipped with iOS 12 preloaded, new devices will be susceptible to this attack as well. Whether Apple will address this in the first release of iOS 12 today is unknown. More likely a supplemental update will be released shortly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.