A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.

"The attack uses a weakness in the -webkit-backdrop-filter CSS property," Haddouche told BleepingComputer. "By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart."

This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.

"All browsers on iOS are affected because the underlying rendering engine is WebKit,"  Haddouche explained. "As per App Store rules, it is forbidden to bring your own rendering engine."

Depending on the version of iOS being used, it could cause a respring, which is a UI restart, or a kernel panic that causes the device to reboot. For example, Haddouche performed his tests on a iOS 12 and the device completely rebooted, but on iOS 11.4.1, it only caused a respring.

For macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer. 

Haddouche has told BleepingComputer that he has created an additional attack using HTML, CSS, and JavaScript that will totally freeze macOS computers, but has not released it as it persists after reboot and essentially bricks the computer.

Attack works by simply by visiting a web page

When a user visits a page hosting this specially crafted CSS & HTML, depending on the iOS version, the device will quickly use up all available resources. On iOS this will cause either a kernel panic and a reboot or a restarting of the iOS SpringBoard.

For Mac users, this will cause your computer to freeze briefly and slow down, but you can close the Safari tab to stop the attack.

To illustrate this attack, I created a video showing what happens when you visit Haddouche's attack page on Github with an iPhone running iOS 11.4.1. As you can see, once I visited the page the iOS SpringBoard quickly crashed and restarted.

Unfortunately, at this time there is no way to mitigate against this type of attack. Haddouche has told BleepingComputer that other than "not clicking on random links, Apple will have to deploy a fix."

For those who want to see the CSS & HTML that causes this attack, the researcher has posted it on his GitHub page. Just be careful when clicking on the rawgit.com link as it will quickly crash your iOS or cause problems on your Mac.