Whether you are a new or old user of Apple products – especially the iPhone – you are likely to have heard of a “code bug”. Basically, these errors cause the device to crash, and possibly restart, when receiving a code with specific characters or that exploits a flaw in the iOS rendering engine.
Last February, we commented on a similar bug that affected the Messages app on both iPhones and Macs. Now the online security researcher Sabri Haddouche found a new way to lock and restart the iPhone with just a few lines of CSS code.
https://t.co/NbfRk6AINp
– Sabri (@pwnsdx) September 15, 2018
How to force any iOS device to reboot with just CSS? ?
Source: gist.github.com/pwnsdx/ce64de2…
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK): cdn.rawgit.com/pwnsdx/ce64de2…
The bug affects any iOS device that can interpret graphic filters, one of the W3C’s mechanisms for applying filters. On the iPhone / iPad / iPod touch, this functionality was first introduced in iOS 7.
Essentially, when the code is opened through Safari, it causes a read error that is applied to all div elements on the page. The constant error in reading ends up overloading the rendering system of WebKit, used by Safari, causing the popular kernel panic – which forces the system to restart to prevent damage to the hardware.
Haddouche shared the GitHub link for anyone who wants to view the bug’s source code; it’s just a few lines of HTML and CSS. If you want to test the bug (for whatever reason), you can access this link through Safari – at your own risk, of course.
It has been confirmed that the bug affects Safari on iOS 11, version Golden Master (GM) of iOS 12 (the bug also influences Siri’s Shortcuts), in watchOS 4 and GM’s watchOS 5. At the macOS 10.13.6, the code may cause Safari to only freeze for a few moments.
Also looks like watchOS 5 is susceptible. pic.twitter.com/Mam8uTyuye
– Robert Petersen (@ Sonikku_a2) September 15, 2018
It seems that watchOS 5 is also susceptible.
Although annoying, the good news is that this attack cannot be used to execute malicious code, such as stealing user data. However, there is no easy way to prevent someone from falling into it, as just touching a link sent by any application, message or HTML email that renders the code can lock the device instantly.
Haddouche told the TechCrunch who has already contacted Apple to report the bug, which he said was investigating the problem. Apple is likely to launch a new software update as soon as it releases the final, public version of iOS 12, which will be released this afternoon.
