Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researcher Discovers Snippet of CSS Code That Forces iOS to Reboot, Apple Investigating

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,574
39,430



ios7_safari_icon.jpg
A new iOS vulnerability was discovered by a security researcher over the weekend, causing affected iPhones and iPads to crash and restart when following a link to an HTML page hosting specially crafted CSS code.

The vulnerability hits the WebKit rendering engine used in Safari by applying a CSS effect -- "backdrop-filter" -- that requires enough heavy graphics processing to cause iOS to crash completely.

Software engineer and security researcher Sabri Haddouche, who works for encrypted messaging app Wire, discovered the vulnerability and shared videos of its effects on Twitter. Haddouche also discussed his findings with ZDNet:
"The attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them," Haddouche told ZDNet in an interview.

"By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS."
Click to expand...
Apple has been notified of the vulnerability, and Haddouche confirmed that the company is actively investigating the issue. The researcher also notes that the CSS code in its current form will freeze Safari on macOS "for a minute," and then slow it down, but the Mac won't crash. However, a modified version with Javascript could end with the same outcome as the iOS version, crashing the Mac computer that it's on.

Haddouche didn't publish the modified macOS vulnerability because once the computer reboots, Safari persists and the browser is automatically launched again with the same result, resulting in a cycle of reboots. The researcher says that he discovered the vulnerabilities during research for denial of service bugs on different web browsers.

Article Link: Security Researcher Discovers Snippet of CSS Code That Forces iOS to Reboot, Apple Investigating
 
Article Link
https://www.macrumors.com/2018/09/17/css-code-forces-ios-reboot/
H2SO4 said:
It needs to be done. That’s how you keep big companies from brushing things under the carpet.
There are plenty of exploits Apple and others have ignored and continue to ignore. A consumer backlash is what keeps them in check.
Click to expand...
Actually, this is highly improper. Generally-speaking, you inform companies a good bit prior to going live with the info, so that they have time to patch it first. If you care about those affected by this, it's the only right thing to do. This obviously hasn't been patched yet, so now millions out there are vulnerable, and anyone with enough experience can exploit it.
 
  • Like
Reactions: ILikeAllOS, thisisnotmyname and linkmaster02
MacSince1985 said:
Unfortunately, he gives enough details for people to try exploiting the bug themselves.
Click to expand...
As it is not a security bug, it's not concerned dangerous.

He posted it in objections regarding Google's assessment view. The view that doesn't see these kind of bugs as money worthy ones.
 
Markoth said:
Actually, this is highly improper. Generally-speaking, you inform companies a good bit prior to going live with the info, so that they have time to patch it first. If you care about those affected by this, it's the only right thing to do. This obviously hasn't been patched yet, so now millions out there are vulnerable, and anyone with enough experience can exploit it.
Click to expand...
This is more a nuisance bug, like the Telugu character. It's not a security bug. What exactly are millions vulnerable to, annoyance?
 
  • Like
Reactions: rafark and kdarling
Backdrop-filter is a CSS property that allows you to create for example the background blur effect you know from iOS / macOS. You know, there is a window and the windows behind that window are blurred. It uses a lot of GPU. If you create a lot of elements with this property, Safari starts freezing. But it's not security bug. If your website causes this kind of problem, people won't be visiting it and you are the only one who has some kind of "damage" because of that. I think you can freeze browser using JavaScript, if you run a badly written function. But why would you do that?
 
Martius said:
Backdrop-filter is a CSS property that allows you to create for example the background blur effect you know from iOS / macOS. You know, there is a window and the windows behind that window are blurred. It uses a lot of GPU. If you create a lot of elements with this property, Safari starts freezing. But it's not security bug. If your website causes this kind of problem, people won't be visiting it and you are the only one who has some kind of "damage" because of that. I think you can freeze browser using JavaScript, if you run a badly written function. But why would you do that?
Click to expand...
Because, a crash is the starting point of an exploit. If you can get it to run some arbitrary code right at or after the point of crash, maybe you can make the system do something it normally wouldn’t, or shouldn’t do.
 
  • Like
Reactions: MacSince1985, Glideslope, Dorje Sylas and 2 others
Strange that this would crash all of iOS instead of just the webpage.

Also, seems like you could make an ad that exploits this... if it works with css, I'd think you could just use the style attribute of a div element in html to achieve the same thing.
 
ArtOfWarfare said:
Strange that this would crash all of iOS instead of just the webpage.

Also, seems like you could make an ad that exploits this... if it works with css, I'd think you could just use the style attribute of a div element in html to achieve the same thing.
Click to expand...

The key is that it utilizes hardware acceleration to achieve this WebKit-only effect. It’s likely triggering something serious at a very low level, causing a kernel panic (or similar).
 
PBG4 Dude said:
Because, a crash is the starting point of an exploit. If you can get it to run some arbitrary code right at or after the point of crash, maybe you can make the system do something it normally wouldn’t, or shouldn’t do.
Click to expand...

No its not. "Getting it to run some arbitrary code", is the starting point of an exploit. in fact the crash would stop any kind of exploit because the system is down, as in can't run anymore code.
 
  • Like
Reactions: ILikeAllOS and rafark
69Mustang said:
This is more a nuisance bug, like the Telugu character. It's not a security bug. What exactly are millions vulnerable to, annoyance?
Click to expand...
Doesn't matter. This should have been reported to Apple first. Oftentimes, glitches like these can lead to tangible security vulnerabilities. We don't know exactly what's going wrong internally to cause this crash. If whatever it is is something which can be exploited to do something worse, then you will have seen my point. Bugs this critical should be reported immediately.
 
Markoth said:
Doesn't matter. This should have been reported to Apple first. Oftentimes, glitches like these can lead to tangible security vulnerabilities. We don't know exactly what's going wrong internally to cause this crash. If whatever it is is something which can be exploited to do something worse, then you will have seen my point. Bugs this critical should be reported immediately.
Click to expand...
Outside of you making the suggestion, there's nothing that remotely linking this bug to anything but being annoying. Glitches can lead to security vulnerabilities. They can also just be annoying glitches. It's not critical. The researcher reported it to Apple. Apple's response to the bug demonstrates the level of "critical" it carries. There doesn't seem to be a sense of urgency by anyone involved with this.
 
  • Like
Reactions: rafark
69Mustang said:
Outside of you making the suggestion, there's nothing that remotely linking this bug to anything but being annoying. Glitches can lead to security vulnerabilities. They can also just be annoying glitches. It's not critical. The researcher reported it to Apple. Apple's response to the bug demonstrates the level of "critical" it carries. There doesn't seem to be a sense of urgency by anyone involved with this.
Click to expand...
Since we're both operating without enough information, I'd prefer to be on the side of caution. Report, fix, disclose. The only way to do things. If you were a software developer, you'd understand the situation the way I do. Any unintended behavior can have any number of side effects, which none of us who don't have access to the source code can verify. Security is important, more important that most people realize. Generally, it's better to be safe than sorry.
 
Markoth said:
Since we're both operating without enough information, I'd prefer to be on the side of caution. Report, fix, disclose. The only way to do things. If you were a software developer, you'd understand the situation the way I do. Any unintended behavior can have any number of side effects, which none of us who don't have access to the source code can verify. Security is important, more important that most people realize. Generally, it's better to be safe than sorry.
Click to expand...
You have no idea my occupation. You also don't speak for the software engineering community. The implication that your opinion is shared by all software engineers is laughable. There's nothing in my quote that implies a lack of understanding of, or concern for security. Just like there's nothing in your quotes that imply a greater understanding of security. What you should take from my quote is I fully understand that this bug can cause a minor issue. Until there are facts to support a greater concern, I'll save my worry for something more worthwhile.
 
69Mustang said:
You have no idea my occupation. You also don't speak for the software engineering community. The implication that your opinion is shared by all software engineers is laughable. There's nothing in my quote that implies a lack of understanding of, or concern for security. Just like there's nothing in your quotes that imply a greater understanding of security. What you should take from my quote is I fully understand that this bug can cause a minor issue. Until there are facts to support a greater concern, I'll save my worry for something more worthwhile.
Click to expand...
Calm thyself. Either attempt to challenge what I say, or say nothing. I stand by what I said: report, fix, disclose. Come up with your own arguments if you think I'm wrong. You have yet to do so. All I see is defensiveness, which doesn't help your argument in the least.

I'll finish this off by saying that I am Security+ certified, working on a few other security-related certs. Should be worth something, no?
 
PBG4 Dude said:
Because, a crash is the starting point of an exploit. If you can get it to run some arbitrary code right at or after the point of crash, maybe you can make the system do something it normally wouldn’t, or shouldn’t do.
Click to expand...
Dude it's just css, it's a styling/presentation component. the worst it can do is mess with the rendering engine. Web technologies are executed in an isolated sandbox.
[doublepost=1537394375][/doublepost]
Markoth said:
Doesn't matter. This should have been reported to Apple first. Oftentimes, glitches like these can lead to tangible security vulnerabilities. We don't know exactly what's going wrong internally to cause this crash. If whatever it is is something which can be exploited to do something worse, then you will have seen my point. Bugs this critical should be reported immediately.
Click to expand...
only thing is, this is not critical, most likely the system got stuck in an infinite recursive resource-intensive task and crashed after some time.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back