Vulnerabiltiies


'Vulnerabiltiies' Articles

Security Researcher Discovers Snippet of CSS Code That Forces iOS to Reboot, Apple Investigating

A new iOS vulnerability was discovered by a security researcher over the weekend, causing affected iPhones and iPads to crash and restart when following a link to an HTML page hosting specially crafted CSS code. The vulnerability hits the WebKit rendering engine used in Safari by applying a CSS effect -- "backdrop-filter" -- that requires enough heavy graphics processing to cause iOS to crash completely. Software engineer and security researcher Sabri Haddouche, who works for encrypted messaging app Wire, discovered the vulnerability and shared videos of its effects on Twitter. Haddouche also discussed his findings with ZDNet: "The attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them," Haddouche told ZDNet in an interview. "By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS." Apple has been notified of the vulnerability, and Haddouche confirmed that the company is actively investigating the issue. The researcher also notes that the CSS code in its current form will freeze Safari on macOS "for a minute," and then slow it down, but the Mac won't crash. However, a modified version with Javascript could end with the same outcome as the iOS version, crashing the Mac computer that it's on. Haddouche didn't publish the modified macOS vulnerability because once the computer reboots, Safari persists and the browser is automatically launched again with the same result, resulting in a cycle of reboots. The researcher says that he

Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities

Intel CEO Brian Krzanich today wrote an open letter to Intel customers following the "Meltdown" and "Spectre" hardware-based vulnerabilities that impact its processors. In the letter, Krzanich says that by January 15, updates will have been issued for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder coming at the end of January. For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X. According to Krzanich, going forward, Intel promises to offer timely and transparent communications, with details on patch progress and performance data. Because Spectre and Meltdown are hardware-based vulnerabilities, they must be addressed through software workarounds. In some cases, these software patches cause machines to perform more slowly. Apple users do not need to worry about performance impacts. According to Apple, Meltdown had no measurable reduction in performance on devices running macOS and iOS across several benchmarks. Spectre, fixed through a Safari mitigation, had no measurable impact on most tests, but did impact performance by less than 2.5% on the JetStream benchmark. Apple says it plans to continue to refine its mitigations going further. In addition to remaining transparent

Apple Once Again Blocks Older Versions of Adobe Flash Player Due to Vulnerability

Last week Adobe issued a security advisory for Flash Player, indicating that version 21.0.0.242 and earlier had a critical vulnerability that could potentially cause a crash and allow an attacker to take control of the infected system. Adobe issued a fix a couple days later. Apple today published a support document explaining that users with out-of-date versions of the Adobe Flash Player plug-ins will see a "Blocked plug-in," "Flash Security Alert," or "Flash out-of-date" message when attempting to view Flash content in Safari. Plug-ins like Adobe Flash Player have long been an issue for Apple, requiring forced updates and security fixes to patch vulnerabilities. When vulnerabilities arise, Apple has been consistent in blocking older versions of the web plug-ins. Apple is looking to reduce the risk of potential issues with macOS Sierra, in which Safari will deactivate Flash Player and other plug-ins by default in an effort to push the more modern HTML5. To continue using Flash, users must download the latest Adobe Flash Player update from Adobe's website