New CSS vulnerability could crash and restart your iPhone

17 Sep 2018

Woman holding iPhone. Image: chainarong06/Shutterstock

A vulnerability in an engine used by Safari can crash and restart the iOS operating system.

Last week was a major turning point for the copyright battle in the EU, as lawmakers voted to implement the controversial measures such as the so-called ‘link tax’ and upload filter. The decision polarised many, with some calling it a win for creative workers while others deemed it unworkable.

Meanwhile, numerous apps purporting to be beta versions of the gaming phenomenon Fortnite could be exposing users to a litany of privacy risks, according to research from Top10VPN. Many of the fake apps are just malware and adware in disguise.

For Facebook, using renewable power is a crucial element of its new €300m data centre park in Clonee, Co Meath. One of the largest data centre projects in Ireland, Facebook broke ground at Clonee in 2016, with an average of 1,150 people on site per day during peak construction.

Read on for some of the most notable enterprise stories of the last week.

Latest iPhone bug caused by CSS vulnerability

A security researcher at encrypted instant messaging app Wire found a vulnerability in the WebKit rendering engine used by Safari. Software engineer and researcher Sabri Haddouche published proof-of-concept code on Twitter early on 15 September.

In essence, WebKit is exploitable by loading a HTML page that uses specially created CSS code. The code then tries to apply a CSS effect called ‘backdrop filter’ to a series of nested page segments (divs). The backdrop filter blurs or colour-shifts to the area behind an element and takes a heavy toll on iOS’s graphics processing library. Haddouche told ZDNet: “The attack uses a weakness in the webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them.

“By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel-panic the OS.” The researcher said he told Apple of the issue before publishing the code on Twitter. While the vulnerability is undoubtedly annoying, it can only cause the phone to crash and is no use when it comes to running malicious code.

Ransomware attack pulls down flight display screens at UK airport

Normal service resumed at Bristol Airport on 16 September following two days of outages causing total blackouts on flight data screens. According to Infosecurity magazine, the airport staff were forced to write regular updates on whiteboards detailing flight data.

According to airport spokesperson James Gore, a “speculative” ransomware attack was to blame. He added: “We believe there was an online attempt to target part of our administrative systems, and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” The airport did not pay the ransom.

Facebook takes action against ‘deepfakes’

Facebook has already implemented a number of features to rate content accuracy in terms of news and now the company is officially checking videos and photos under similar criteria. On 13 September, the company wrote: “To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation.

“Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly onboarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.”

Flagged images will go directly to specialist fact-checkers, who will examine things such as image or video metadata.

North Korea hits out at US indictment of alleged cyber-criminal

Earlier in September, Park Jin Hyok was arrested by US investigators who believe he was involved in the WannaCry and Sony Pictures cyberattacks, among others. Pyongyang’s foreign ministry said the US charges amounted to little more than “vicious slander”. The ministry also described Park as a “non-entity”.

The US authorities say that Park and other people involved were given away by their social media accounts as well as online aliases, malware code libraries and IP addresses linked to the attacks.

Woman holding iPhone. Image: chainarong06/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com