back to article Check out this link! It's not like it'll crash your iPhone or anything (Hint: Of course it will)

Apple iPhones, iPads, and Mac computers that stray onto websites with malicious CSS code, while using Safari, can crash or fall over – due to a flaw in the web browser. The WebKit rendering engine vulnerability can be triggered by just a few lines of code in a cascading style sheet (CSS). On iOS devices, at least, it all …

  1. Wellyboot Silver badge
    Unhappy

    >>>Neither vulnerability can push malware onto crashed devices so it's more a nuisance than anything else<<< yet

    I'm sure there's an evil git or two working on that as we speak

    1. Anonymous Coward
      Anonymous Coward

      Given that Apple released iOS 12.0 today, and 12.0.1 would inevitably follow to clean up any lingering issues, the timing of this means the exploit window will be very short indeed. Since 12.x is available on everything that supported 11.x, and results in performance increases over 11.x as well, there's zero reason why anyone should be unwilling to upgrade and get that fix when it is available, either.

      1. Lee D Silver badge

        "there's zero reason why anyone should be unwilling to upgrade..." "and 12.0.1 would inevitably follow to clean up any lingering issues"

        (raises hand)

        Oooh, oooh, me, sir, I've seen the answer!

      2. Wibble

        Since 12.x is available on everything that supported 11.x, and results in performance increases over 11.x as well, there's zero reason why anyone should be unwilling to upgrade

        What if you have some older 32 bit applications which aren't available in 64 bit?

        1. Anonymous Coward
          Anonymous Coward

          Then its the fault of the author for not updating it, when Apple started telling devs of the need to do over three years ago.

        2. unbearable

          What if you have some older 32 bit applications which aren't available in 64 bit?

          Then you're bit outta luck.

  2. sorry, what?
    WTF?

    Probably snobbish, but...

    It seems to me that too many people think of writing HTML and CSS as "coding". In my opinion it is not.

    In my view:

    CSS isn't code; it is a set of rule definitions that tell the browser (or other rendering engine) what effects to apply to specifically selected markup.

    HTML isn't code; it is a structured set of markup that describes content to be rendered.

    JavaScript is code; it provides executable statements with various programming constructs such as iteration and conditional execution, arithmetic logic and variable management. It is a significantly different proposition to CSS or HTML.

    1. Charlie Clark Silver badge

      Re: Probably snobbish, but...

      Actually, I think that CSS may actually be Turing complete. But, yeah, writing HTML & CSS isn't programming.

    2. Ian Joyner Bronze badge

      Re: Probably snobbish, but...

      Programming is not coding anyway. Coding is what a code generator in a compiler does.

      But programming does not have to be imperative, like functional programming it can be declarative. This is telling the computer what you want, rather than how to do it. Relational databases are also founded on this principle.

      And imperative languages do not have to be cryptic and code-like like JavaScript, C, and C++.

      We need to get away from code.

      1. find users who cut cat tail
        Headmaster

        Re: Probably snobbish, but...

        > Programming is not coding anyway...

        No, this is coding.

        1. DJV Silver badge
          Happy

          Re: No, this is coding.

          And so is this: https://en.wikipedia.org/wiki/Brainfuck

          But it will do more damage to your sanity than any CSS!

  3. Anonymous South African Coward Silver badge

    T-t-t-t-triggered!!!

  4. Anonymous Coward
    Anonymous Coward

    And here's the reason it's not good there are are so few browser engines

    Webkit, Gecko, Trident. And on Apple devices, just Webkit. Not a great idea.

    1. Anonymous Coward
      Anonymous Coward

      Re: And here's the reason it's not good there are are so few browser engines

      So you'd rather there were a dozen browser engines, of which 8 were vulnerable, than three browser engines of which 2 were vulnerable? Or are you just assuming if there were a dozen browser engines we'd still have only 2 vulnerable ones and the other nine new ones would all be fortunate enough to not be vulnerable?

      1. Anonymous Coward
        Anonymous Coward

        Re: And here's the reason it's not good there are are so few browser engines

        Well, I'd rather we weren't a heartbeat away from only having 2 (if Mozilla couldn't stagger on any more). And iOS users might not be too delighted that they have a choice of precisely one engine. So whilst I wouldn't go along with your strawman of a dozen browser engines, I don't think that the current situation is good for anyone.

      2. heyrick Silver badge

        Re: And here's the reason it's not good there are are so few browser engines

        "So you'd rather there were a dozen browser engines"

        I'd rather there was more than ONE, because in my time using an older iOS release, I found Safari to be quite crashy. No worries, there's always Dolphin. Oh wait, it crashes in exactly the same way on the same things.

        At least on Android, stuff that messed up the stock browser (including that hideous bodging of text sizes) could be dealt with by installing Firefox...

        It's called choice. Too much choice may not be good, but no choice at all is worse.

    2. anonanonanon

      Re: And here's the reason it's not good there are are so few browser engines

      This is actually enforced in the dev guidelines, you must use apple's API to access web content, other kits aren't allowed.

    3. Anonymous Coward Silver badge
      Paris Hilton

      Re: And here's the reason it's not good there are are so few browser engines

      "And iOS users might not be too delighted that they have a choice of precisely one engine."

      I thought that the main pulling-force of iOS was precisely that the users don't have to make any choices? It's apple's way or no way.

  5. choleric

    WebKit shmebkit

    Firefox on Android 8 is ok here.

  6. Robert Forsyth

    Tried on KDE Konqueror

    KHTML engine -> Thomas and Triggered

    WebEngine -> Thomas and Triggered

    WebKit -> 0

    KHTML taken by Apple for base of WebKit

    WebKit taken by Google for Chrome

  7. Shadow Systems Silver badge

    Here's an evil thought...

    Go to an electronics mega store or into an actual Apple store & head over to their desktop section.

    Use a BlueTooth enabled device to broadcast that URL as a bookmark on the desktop.

    Next go through the Iphone/Ithing section doing the same thing, so every Apple device now contains the bookmark.

    Leave before anyone clicks said bookmark & gives the place a feisty, festive air.

    I'm not worried that it's evil, I already know Heaven doesn't want me & Satan's got a restraining order...

    1. heyrick Silver badge

      Re: Here's an evil thought...

      Didn't people do that with BBC Micros back in the eighties?

      10 *FX something to disable Escape

      20 PRINT "rude message here"

      30 GOTO 20

      1. irrelevant

        Re: Here's an evil thought...

        It was usually more effective to redirect the Break vector to a customised error... Only way around that one was to power off..

  8. Winkypop Silver badge
    Facepalm

    Like a wet paint sign

    People just HAVE to click.

    1. DJV Silver badge

      Re: Like a wet paint sign

      Sir, I can honestly say that I have never in my life clicked on a wet paint sign!!!

      (Just stuck my nose on the paint to see how dry it was, maybe...)

  9. imanidiot Silver badge
    Trollface

    Think Different

    Because why wouldn't you want to crash on a simple CSS glitch...

  10. Anonymous Coward
    Anonymous Coward

    Barclays

    There seems to be a bug in the Barclays online payments page (or there was last week) that crashed Firefox tabs with 100% CPU load part way though page display on a MacBook. I wonder if it is the same thing.

  11. MS-Surface

    Few results...

    MS Edge on W10 displays: This page is having a problem loading...

    MS Edge on W10 Mobile displays: This page is having a problem loading...

    MS IE 11 on W10: We were unable to return you to rawgit.com...

    Firefox on W10 loads the website: Triggered.

    Opera on W10 loads the website: Triggered.

    None of the tested devices/browsers above crashed or froze.

    Safari on iOS 11 & 12, iPhones 7,8 & iPads 6th 2018 freezes and crashes/reboots the devices.

  12. Anonymous Coward
    Anonymous Coward

    It is now 403 Forbidden according to all of my browsers on my PC.

    Haven't tried it on my iPhones yet. Can't check and verify the payload if it is harmless, that's why.

    1. EJ

      Defused now?

      403 Forbidden on iOS 12 Safari...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020