New Exploit Enables Crash of iPhones, iPads, and Macs
In 2018, a newly discovered exploit allows for the crashing and rebooting of any iPhone, iPad, or Mac through a simple web page that utilizes a few lines of code. This vulnerability underscores significant security concerns within Apple’s operating systems and their web rendering engine, WebKit.
The exploit was brought to light by Sabri Haddouche, a security researcher affiliated with the encrypted messaging platform Wire. He introduced a proof-of-concept web page that demonstrates how targeted CSS and HTML code can lead to severe device failures, characterized by kernel panic and system restarts. This exploit effectively consumes all available system resources, prompting full device shutdowns.
Haddouche’s research indicates that the flaw resides in WebKit, the core rendering engine responsible for displaying web content across all applications on Apple’s ecosystem. The issue arises from WebKit’s inability to correctly process specific CSS elements, notably “div” tags integrated within backdrop filter properties, leading to resource exhaustion on affected devices.
A notable aspect of the exploit is its widespread impact; it is not limited to a single browser or operating system. All major browsers—including Microsoft Edge, Internet Explorer, and Safari on both iOS and macOS—are susceptible due to their reliance on WebKit. However, users on Windows and Linux systems are not at risk from this particular vulnerability.
Haddouche showcased the exploit in a video demonstration, revealing its effectiveness on various devices, including the latest iterations of macOS and iOS. The Hacker News corroborated this functionality by testing the exploit across different browsers, confirming that it successfully crashed devices involved in the tests.
In light of these developments, it is prudent for Apple users to exercise caution when navigating the web. Links shared via social media platforms or email should be treated with skepticism to mitigate risk. Haddouche has made the source code for the exploit available on his GitHub page, furthering transparency concerning this security issue.
To conclude, Haddouche has formally reported the WebKit vulnerability to Apple. The company is currently investigating the matter and is expected to implement remedies in future software updates. As the cybersecurity landscape continues to evolve, businesses must remain vigilant, prepared to address vulnerabilities that can disrupt operations and compromise user data.
For business owners keen on cybersecurity, understanding tactics linked to this attack is crucial. Potential adversary tactics as classified by the MITRE ATT&CK framework include initial access, where attackers exploit weaknesses to gain entry, and resource exhaustion, which can be amplified by inadequate system defenses. As this incident demonstrates, a proactive stance in cybersecurity can be vital to safeguarding both operational integrity and sensitive information.
