A security researcher from Wired, an encrypted messaging app for mobile devices, discovered a “proof-of-concept” (PoC) website that specifically used CSS & HTML code to form their exploitation. Aside from simply crashing the device when visiting the web page, it is possible that it could cause the device to go into a full kernel panic mode and even a complete system reboot. WebKit is what Apple uses as a web rendering engine–all the apps and browsers running on Apple’s operating system use it. Due to a flaw on WebKit’s end, the exploitation was able to be carried out by simply creating a web page that takes up all the device’s resources. Although Windows and Linux have not been affected by this vulnerability, Microsoft Edge, Internet Explorer, and Safari for iOS, as well as mail and Safari for macOS have all seen issues. The code thread that can cause all this can be found on GitHub and the exploitation was made known to Apple and it seems as if there is a chance they will investigate it themselves. Users are urged to be cautious when receiving messages in an email or on Facebook, especially if the sender is not recognized.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased