Security Researcher Discovers Snippet of CSS Code That Forces iOS to Reboot, Apple Investigating

Discussion in 'iOS Blog Discussion' started by MacRumors, Sep 17, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    A new iOS vulnerability was discovered by a security researcher over the weekend, causing affected iPhones and iPads to crash and restart when following a link to an HTML page hosting specially crafted CSS code.

    The vulnerability hits the WebKit rendering engine used in Safari by applying a CSS effect -- "backdrop-filter" -- that requires enough heavy graphics processing to cause iOS to crash completely.

    Software engineer and security researcher Sabri Haddouche, who works for encrypted messaging app Wire, discovered the vulnerability and shared videos of its effects on Twitter. Haddouche also discussed his findings with ZDNet:
    Apple has been notified of the vulnerability, and Haddouche confirmed that the company is actively investigating the issue. The researcher also notes that the CSS code in its current form will freeze Safari on macOS "for a minute," and then slow it down, but the Mac won't crash. However, a modified version with Javascript could end with the same outcome as the iOS version, crashing the Mac computer that it's on.

    Haddouche didn't publish the modified macOS vulnerability because once the computer reboots, Safari persists and the browser is automatically launched again with the same result, resulting in a cycle of reboots. The researcher says that he discovered the vulnerabilities during research for denial of service bugs on different web browsers.

    Article Link: Security Researcher Discovers Snippet of CSS Code That Forces iOS to Reboot, Apple Investigating
     
  2. TwoBytes macrumors 68030

    TwoBytes

    Joined:
    Jun 2, 2008
  3. MacSince1985 macrumors 6502

    Joined:
    Oct 18, 2009
    #3
    Unfortunately, he gives enough details for people to try exploiting the bug themselves.
     
  4. H2SO4 macrumors 601

    Joined:
    Nov 4, 2008
    #4
    It needs to be done. That’s how you keep big companies from brushing things under the carpet.
    There are plenty of exploits Apple and others have ignored and continue to ignore. A consumer backlash is what keeps them in check.
     
  5. Ries macrumors 68020

    Joined:
    Apr 21, 2007
    #5
    It sends a render task so big to the "gpu" subsystem that it triggers the watchdog.
     
  6. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #6
    Actually, this is highly improper. Generally-speaking, you inform companies a good bit prior to going live with the info, so that they have time to patch it first. If you care about those affected by this, it's the only right thing to do. This obviously hasn't been patched yet, so now millions out there are vulnerable, and anyone with enough experience can exploit it.
     
  7. Heineken macrumors 65816

    Heineken

    Joined:
    Jan 27, 2018
    #7
    This one is annoying and a bit scary that you can do that so simply.
     
  8. IGI2 macrumors 6502a

    IGI2

    Joined:
    May 6, 2015
    #8
    As it is not a security bug, it's not concerned dangerous.

    He posted it in objections regarding Google's assessment view. The view that doesn't see these kind of bugs as money worthy ones.
     
  9. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #9
    This is more a nuisance bug, like the Telugu character. It's not a security bug. What exactly are millions vulnerable to, annoyance?
     
  10. Martius macrumors 6502

    Martius

    Joined:
    Jul 12, 2008
    Location:
    Prague, CZ
    #10
    Backdrop-filter is a CSS property that allows you to create for example the background blur effect you know from iOS / macOS. You know, there is a window and the windows behind that window are blurred. It uses a lot of GPU. If you create a lot of elements with this property, Safari starts freezing. But it's not security bug. If your website causes this kind of problem, people won't be visiting it and you are the only one who has some kind of "damage" because of that. I think you can freeze browser using JavaScript, if you run a badly written function. But why would you do that?
     
  11. PBG4 Dude macrumors 68030

    PBG4 Dude

    Joined:
    Jul 6, 2007
    #11
    Because, a crash is the starting point of an exploit. If you can get it to run some arbitrary code right at or after the point of crash, maybe you can make the system do something it normally wouldn’t, or shouldn’t do.
     
  12. ArtOfWarfare macrumors G3

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #12
    Strange that this would crash all of iOS instead of just the webpage.

    Also, seems like you could make an ad that exploits this... if it works with css, I'd think you could just use the style attribute of a div element in html to achieve the same thing.
     
  13. dumastudetto macrumors 68040

    Joined:
    Aug 28, 2013
    #13
    When it comes to security, these people will never defeat Apple.
     
  14. twistedpixel8 macrumors 6502

    twistedpixel8

    Joined:
    Jun 9, 2017
    #14
    The key is that it utilizes hardware acceleration to achieve this WebKit-only effect. It’s likely triggering something serious at a very low level, causing a kernel panic (or similar).
     
  15. bluecoast macrumors 65816

    Joined:
    Nov 7, 2017
    #15
    This could be a plot element in Groundhog Day 2
     
  16. kryten3000 macrumors 6502

    kryten3000

    Joined:
    Apr 7, 2010
    Location:
    Ecuador (Cotopaxi)
    #16
    Funny, I posted about this earlier and you folks are just NOW writing an article!
     
  17. gaximus macrumors 6502a

    Joined:
    Oct 11, 2011
    #17
    No its not. "Getting it to run some arbitrary code", is the starting point of an exploit. in fact the crash would stop any kind of exploit because the system is down, as in can't run anymore code.
     
  18. TMRJIJ macrumors 68040

    TMRJIJ

    Joined:
    Dec 12, 2011
    Location:
    South Carolina, United States
    #18
    Ask MR for some cred, bruh...
     
  19. timeconsumer macrumors 68000

    timeconsumer

    Joined:
    Aug 1, 2008
    Location:
    Portland
    #19
    Did you try submitting this to them?

    Can contact them here: https://www.macrumors.com/share.php
     
  20. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #20
    Doesn't matter. This should have been reported to Apple first. Oftentimes, glitches like these can lead to tangible security vulnerabilities. We don't know exactly what's going wrong internally to cause this crash. If whatever it is is something which can be exploited to do something worse, then you will have seen my point. Bugs this critical should be reported immediately.
     
  21. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #21
    Outside of you making the suggestion, there's nothing that remotely linking this bug to anything but being annoying. Glitches can lead to security vulnerabilities. They can also just be annoying glitches. It's not critical. The researcher reported it to Apple. Apple's response to the bug demonstrates the level of "critical" it carries. There doesn't seem to be a sense of urgency by anyone involved with this.
     
  22. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #22
    Since we're both operating without enough information, I'd prefer to be on the side of caution. Report, fix, disclose. The only way to do things. If you were a software developer, you'd understand the situation the way I do. Any unintended behavior can have any number of side effects, which none of us who don't have access to the source code can verify. Security is important, more important that most people realize. Generally, it's better to be safe than sorry.
     
  23. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #23
    You have no idea my occupation. You also don't speak for the software engineering community. The implication that your opinion is shared by all software engineers is laughable. There's nothing in my quote that implies a lack of understanding of, or concern for security. Just like there's nothing in your quotes that imply a greater understanding of security. What you should take from my quote is I fully understand that this bug can cause a minor issue. Until there are facts to support a greater concern, I'll save my worry for something more worthwhile.
     
  24. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #24
    Calm thyself. Either attempt to challenge what I say, or say nothing. I stand by what I said: report, fix, disclose. Come up with your own arguments if you think I'm wrong. You have yet to do so. All I see is defensiveness, which doesn't help your argument in the least.

    I'll finish this off by saying that I am Security+ certified, working on a few other security-related certs. Should be worth something, no?
     
  25. rafark macrumors 6502a

    rafark

    Joined:
    Sep 1, 2017
    #25
    Dude it's just css, it's a styling/presentation component. the worst it can do is mess with the rendering engine. Web technologies are executed in an isolated sandbox.
    --- Post Merged, Sep 19, 2018 ---
    only thing is, this is not critical, most likely the system got stuck in an infinite recursive resource-intensive task and crashed after some time.
     

Share This Page

25 September 17, 2018