Opening a page with just a few lines of CSS code can crash iOS devices like the iPhone or iPad.
In Apple’s Webkit a new vulnerability has been discovered, so attackers can be relatively easily crashed by just a few lines of CSS code, iPhone and iPad.
The CSS snippet only needs to be placed on one page. If the iOS user receives it as a link, for example, and opens it using the Safari browser, the device crashes. The cause of the problem probably lies in a quite new feature of the style sheet language CSS. This allows, for example, to blur the background of an object and to change its color. So elements that are placed over an image can be made more recognizable.
The vulnerability itself lies in Apple’s webkit rendering engine, which is responsible for displaying web pages. And since Apple forces all browser manufacturers to use the in-house Webkit, all browsers are affected under iOS. And not only browsers, other apps rely on the Webkitinhalte for presentation, so some apps can be vulnerable.
The security vulnerability has been disclosed by security researcher Sabri Haddouche about Github. According to Haddouche Apple is currently examining the information provided. The attack works from iOS 9, which appeared in 2015.
There is currently no patch or workaround for the vulnerability. Haddouche also advises not to arbitrarily click on the link. Now Apple and other browser manufacturers are asked to fix the gap quickly.
Always trouble with Webkit
Apple has been struggling with a number of bugs in Webkit, and it was not until February 2018 that the notorious Telugu bug caused problems in rendering the complex Unicode and crashed iOS and macOS devices. Again and again, on social media platforms, links make the round that brought Safari to crash or even blocked, so most recently the ChaiOS called crash link was spread via Twitter.