A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.
This new attack was discovered by Sabri Haddouche, a security researcher at Wire, who was able to devise a way to quickly use up an Apple device’s resources so that it crashes when visiting a web page.
This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.
“All browsers on iOS are affected because the underlying rendering engine is WebKit,” Haddouche explained. “As per App Store rules, it is forbidden to bring your own rendering engine.”
Depending on the version of iOS being used, it could cause a respring, which is a UI restart, or a kernel panic that causes the device to reboot. For example, Haddouche performed his tests on a iOS 12 and the device completely rebooted, but on iOS 11.4.1, it only caused a respring.
For macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.
Attack works by simply by visiting a web page
When a user visits a page hosting this specially crafted CSS & HTML, depending on the iOS version, the device will quickly use up all available resources. On iOS this will cause either a kernel panic and a reboot or a restarting of the iOS SpringBoard.
For Mac users, this will cause your computer to freeze briefly and slow down, but you can close the Safari tab to stop the attack.
To illustrate this attack, I created a video showing what happens when you visit Haddouche’s attack page on Github with an iPhone running iOS 11.4.1. As you can see, once I visited the page the iOS SpringBoard quickly crashed and restarted.
Unfortunately, at this time there is no way to mitigate against this type of attack. Haddouche has told internetnewsblog that other than “not clicking on random links, Apple will have to deploy a fix.”
For those who want to see the CSS & HTML that causes this attack, the researcher has posted it on his GitHub page. Just be careful when clicking on the rawgit.com link as it will quickly crash your iOS or cause problems on your Mac.
9/15/18: Article updated to reflect that it does not brick Mac computers, but causes the Safari session to automatically start and freeze the Mac again.