Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Video Link Can Cause Any iOS Device To Freeze (9to5mac.com)

Posted by BeauHD on from the resist-the-temptation dept.

A new bug in iOS has surfaced that will cause any iOS device to freeze when trying to view a certain .mp4 video in Safari. YouTube channel EverythingApplePro explains the bug in a video titled "This Video Will CRASH ANY iPhone!" 9to5Mac reports: As you'll see in the video below from EverythingApplePro, viewing a certain video in Safari will cause iOS to essentially overload and gradually become unusable. We won't link the infectious video here for obvious reasons, but you can take our word for it when we say that it really does render your device unusable. It's not apparently clear as to why this happens. The likely reason is that it's simply a corrupted video that's some sort of memory leak and when played, iOS isn't sure how to properly handle it, but there's like more to it than that. Because of the nature of the flaw, it isn't specific to a certain iOS build. As you can see in the video below, playing the video on an iPhone running as far back as iOS 5 will cause the device to freeze and become unusable. Interestingly, with iOS 10.2 beta 3, if you let an iPhone affected by the bug sit there for long enough, it will power off and indefinitely display the spinning wheel that you normally see during the shutdown process. If someone sends you the malicious link and you fall for it, this is luckily a pretty easy problem to fix. All you have to do is hard reboot your device. For any iPhone but the iPhone 7, this can be done by long-pressing the power and Home buttons at the same time. The iPhone 7, of course, uses a new non-mechanical Home button. In order to reboot an iPhone 7, you must long-press the power button and volume down button at the same time.

53 comments

  1. It's called a "memory leak" by Anonymous Coward · · Score: 0

    But no, instead let's speculate about how a malicious hacker wearing a hoodie starting at green HTML code crafted this devastating HACK!

    1. Re:It's called a "memory leak" by AHuxley · · Score: 0

      Considering its a top US brand and the only best internal teams ... should issues like that really still make it to the user?
      Where is the internal testing, quality control, bug reports, basic app security?
      In house OS, hardware, tools, testing... the very best staff.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:It's called a "memory leak" by Anonymous Coward · · Score: 0

      "The likely reason is that it's simply a corrupted video that's some sort of memory leak"

      Congratulations on not reading the summary. You have helped move the world one step closer to making the opening of Idiocracy into a documentary.

    3. Re:It's called a "memory leak" by Anonymous Coward · · Score: 0

      And you didn't RTFA dipshit. It's chock full of speculation about the origins.

    4. Re:It's called a "memory leak" by syntotic · · Score: 1

      Lost in a genetic algorithm complexity explosion handling algorithm called: let the user base test it and we will run after afterwards. New ideas, new concepts, eh? I only wish MS understand I could do more in a week in Win 3.1 than in years in moving target Win7-8-10.

  2. or just load IOS 10 by n0w0rries · · Score: 2

    or just load IOS 10... my iPhone 5S freezes all the time now.

    1. Re:or just load IOS 10 by youngone · · Score: 1

      I have an iPhone 6 that freezes too.

    2. Re:or just load IOS 10 by Anonymous Coward · · Score: 0

      Clearly you're both using obsolete hardware. Perhaps you would be interested in a shiny new iPhone 7!

      [Note: If you are using an iPhone to play mp4s you are doing it wrong (at least until the iPhone 8)]

    3. Re: or just load IOS 10 by Anonymous Coward · · Score: 0

      That sucks. I just updated my iPhone 5c last week and it isn't so bad. A little sluggish but it's only locked up on me once. And the new YouTube app is terrible.

    4. Re:or just load IOS 10 by Anonymous Coward · · Score: 0

      WHAAAATTT! apple does not have their own proprietary video format. That cant be correct.

    5. Re: or just load IOS 10 by slazzy · · Score: 2

      My iPhone 4 still works fine as long as I hold it right.

      --
      Website Just Down For Me? Find out
  3. I hope this becomes by Anonymous Coward · · Score: 0

    The new rick rolled

  4. And you can't remove the battery to restart by Anonymous Coward · · Score: 0

    Great, isn't it?

    1. Re:And you can't remove the battery to restart by berj · · Score: 3, Insightful

      What's great is that you don't need to remove the battery to restart it.

      Is that actually a thing? Are there phones that require you to open them up and take out the battery to do a simple hard reset?

    2. Re:And you can't remove the battery to restart by Anonymous Coward · · Score: 0

      No. All smartphones are able to hard reset without removing the battery.

      On the flip side, you have to remove the battery to completely disable surveillance tools that may have been installed on your phone, as these can be activated when the device appears to be turned off.

    3. Re:And you can't remove the battery to restart by thegarbz · · Score: 1

      What's great is that you don't need to remove the battery to restart it.

      Is that actually a thing? Are there phones that require you to open them up and take out the battery to do a simple hard reset?

      It's not really a thing, but in many devices taking the battery out is much faster than holding down a set combination of buttons for quite a long time and hoping no one bumps you along the way.

      Plus there's nothing like being 100% sure.

    4. Re:And you can't remove the battery to restart by Dusthead+Jr. · · Score: 1

      I had an original 8GB iPhone in 2008 and it would crash, not often, but in a way where the touch wouldn't work. Everything else worked, the display, the buttons, but it didn't react to touch. Couldn't hard reset without sliding that icon on screen, unless there was some other way to do it which didn't involve going home and doing a factory reset through iTunes. Apple didn't seem to anticipate the touchscreen being unresponsive in a crash.

    5. Re:And you can't remove the battery to restart by konohitowa · · Score: 1

      Press and hold the upper right button and the home button simultaneously for a few seconds.

    6. Re:And you can't remove the battery to restart by berj · · Score: 1

      Apple didn't seem to anticipate the touchscreen being unresponsive in a crash

      Yes they did.

      The hard reset is holding down power and home (or volume down in the case of the iPhone 7) for a few seconds. No touch screen interaction is required.. the phone just reboots.

    7. Re:And you can't remove the battery to restart by berj · · Score: 1

      Personally I don't think that less than 5 seconds from holding down the two buttons to the phone starting its shutdown sequence is quite a long time.

      Also.. if you can't go 5 seconds without someone bumping you so hard that you can't keep your fingers on two buttons then I shudder to think what's going to happen to the cover and battery when you are bumped.

    8. Re:And you can't remove the battery to restart by thegarbz · · Score: 1

      Personally I don't think that less than 5 seconds from holding down the two buttons to the phone starting its shutdown sequence is quite a long time.

      I wouldn't either, but then my phone doesn't do anything if you hold down a few buttons for 5 seconds.

    9. Re:And you can't remove the battery to restart by berj · · Score: 1

      I don't follow. on any iPhone if you hold the sleep/power button along with the home (or volume down for iPhone 7).. your phone will shut down -- no matter what it's doing or if it's crashed.

      No need to do anything fancy or open anything up and hope that someone doesn't knock the battery out of your hand.

    10. Re:And you can't remove the battery to restart by thegarbz · · Score: 1

      I didn't realise we were limiting the discussion to just iPhones. Yeah on the iPhone's 5 second hard reset still applies. That said I have seen a device before where its hard reset routines did nothing and a battery pullout was the only option. An LG device from a few years back. I hope Apple get it right when they remove their last physical button.

    11. Re:And you can't remove the battery to restart by Plumpaquatsch · · Score: 1

      It's not really a thing, but in many devices taking the battery out is much faster than holding down a set combination of buttons for quite a long time and hoping no one bumps you along the way.

      If "taking the battery out is much faster than holding down a set combination of buttons for 'quite a long time' " (for values of `quite long`of a few seconds), then accidentally removing your battery is an actual possibility.

      --
      Of course news about a fake are Fake News.
    12. Re:And you can't remove the battery to restart by thegarbz · · Score: 1

      Errr no. One has nothing to do with the other. I can remove a GoPro from it's underwater case in under half a second despite a wonderful dual latching system that makes inadvertent opening almost impossible.

      Likewise I can get my phone's battery out in about 2-3 seconds and yet it has never fallen out on its own accord, even the several times it's been dropped and shot across the room (no idea how my screen hasn't cracked yet).

  5. GStreamer by Anonymous Coward · · Score: 0

    So, iOS uses GStreamer?

  6. link to video by Gravis+Zero · · Score: 3, Informative

    this is the link to the video that will crash apple products. Share with all your iFiends. ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:link to video by Anonymous Coward · · Score: 2, Funny

      I don't get it, it doesn't seem to do anyth

      Sent from my iPhone

    2. Re:link to video by Anonymous Coward · · Score: 0

      I am personally not a fan of being completely shaved, but trimming and keeping your space clear only benefits you in the long run. As a woman, the thought of getting a mouthful of hair is completely disgusting and will definitely turn me off from certain sexual acts. Just my opinion :)

  7. QA by JBMcB · · Score: 1

    Sure, all you have to do is test absolutely every combination of HTML, CSS, JavaScript, SVG, and MP4 streaming configuration you could ever possibly conceive of.

    Keep in mind, the MP4 spec is... extensive:
    https://en.wikipedia.org/wiki/...

    --
    My Other Computer Is A Data General Nova III.
    1. Re:QA by Anonymous Coward · · Score: 1

      Its not mp4. Based on ffmpeg's output it looks like there is a case where they aren't doing bounds checking correctly in the H.264 decoder.

    2. Re:QA by Anonymous Coward · · Score: 0

      The H.264 decoder should be a hardware block. If what you say is true, then yay hardware bug workarounds!

  8. Didn't crash iOS 5.1.1 by Anonymous Coward · · Score: 0

    Yay.

  9. the new drink sensation by Anonymous Coward · · Score: 0

    my iPhone 5S freezes all the time now.

    put it in a glass with gin and tonic, shaken not stirred.

  10. Video Memory leak? by aglider · · Score: 1

    it's simply a corrupted video that's some sort of memory leak

    Maybe is the browser/player/library to have a memory leak triggered and exploited by means of a specially crafted video file!
    ah!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  11. What do you prefer ? by Anonymous Coward · · Score: 0

    To freeze or to burn into flames ?

    1. Re:What do you prefer ? by GrumpySteen · · Score: 1

      Apparently you think the only two smart phones in existence are the iPhone and the Galaxy Note 7. Boy are you in for a surprise if you ever crawl out of your basement and actually visit a store that sells cell phones.

  12. Stopped reading there. by Anonymous Coward · · Score: 0

    "We won't link the infectious video here for obvious reasons", yeah, no. "I wont link to this" is the battlecry of liars on the internet, and thus I can safely assume that this article was also penned by a liar. Even if it's true I have become wary of all forms of news following this election and the Gamergate debacle showing just how many news writers are filthy fucking liars.

    If all the facts are not presented, I will consider it "fake news". A major fact was not presented, thus I dub this fake news.

    1. Re: Stopped reading there. by Anonymous Coward · · Score: 0

      https://vk.com/doc106491973_439166823

  13. Already fixed? by Anonymous Coward · · Score: 0

    This doesn't do anything to my iPhone. Did Apple already fix it?

  14. Re:Sigh by mccalli · · Score: 1

    Maybe not in video, but I worked at an image processing place where we deliberately created a file called "bastard.tif". The purpose of this file was to exploit every aspect of TIFF we could find, and for those familiar with the standard you'll know that's a lot. We used non-standard pixel ratios, we switched encoding mechanisms multiple times through the file...we did everything we could to make a standards-valid TIFF that would crash everything.

    Wasn't malicious, we were a commercial data processing shop and image creation/conversion was our thing. We could crash Photoshop (non-square pixels - this is early-to-mid-nineties, no idea if it still crashes it), we could bring down things like Kofax Libraries which at the time were fairly advanced pro image coding libraries. We could crash most Unix utilities for working with images...you get the idea. We definitely were thinking about it, and we were actually doing it. The idea was to know what we could and couldn't do whilst coding our image processing software - we didn't want to create a final image that, whilst technically valid, couldn't actually be used anywhere.

  15. Re:Sigh by Anonymous Coward · · Score: 0

    They were just lazy. We had the exact same discussions in FFmpeg, and guess what? In almost all cases you can do it efficiently, usually by requiring a few extra bytes of padding so you don't need to do a bounds check at every bit. The remaining checks cost less than 1%.
    Of course that then leads to users complaining that they have to pad their buffers, but such is life!
    There was some discussion about having a mode that doesn't require padding, and in some cases even that is reasonable, but in quite a few other cases it would mean you can't really do SIMD properly anymore, since trying to do bounds checks in SIMD code doesn't work very well.

  16. Re:I'm not surprised. by Anonymous Coward · · Score: 0

    > they do maintain a few projects that are really nice (Clang/LLVM is one of those)

    Really? The project where the idea of a library interface is "just dump all code in a .so and export all symbols, including non-namespaced C symbols with generic names that are certain to break some program in the future due to collisions"? You must have a very different idea of "nice" projects than me.
    Check yourself, at least 3.8 still exports symbols like ConvertUTF8toUTF16. What could go wrong!

  17. Re:Sigh by Bongo · · Score: 1

    You, Sir, were having too much fun.

  18. working link - http://po.st/tExdYj by Anonymous Coward · · Score: 0

    working link - http://po.st/tExdYj

  19. If it's a memory leak.... by tekrat · · Score: 1

    Why doesn't this affect all types of computers? Why doesn't it affect Android, Mac OS, Windows, and Linux? Why *just* IOS? That doesn't make sense, there must be something unique about IOS where it doesn't handle video as well as other OS's....

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:If it's a memory leak.... by tlhIngan · · Score: 1

      Why doesn't this affect all types of computers? Why doesn't it affect Android, Mac OS, Windows, and Linux? Why *just* IOS? That doesn't make sense, there must be something unique about IOS where it doesn't handle video as well as other OS's....

      Easy, it's a standard, so there are many implementations of it. It's why the Stagefright bugs don't affect iOS - you're trying to test against a different implementation that has a different way of doing things.

      And maybe it does affect Android, but the way Stagefright (or the other media architectures since they did change a couple of times) simply fail in another way that's recoverable.

      There's no one master implementation of MPEG4 video - it's a fairly extensive standard with full specifications so anyone who has a copy of the standard can implement their own version of it. And everyone has - Google, Microsoft, Apple have their own independent implementations, as does VLC, gstreamer, etc.

      In fact, perhaps it affects macOS as well since the code would be most similar between the two.

  20. Re: Sigh by Anonymous Coward · · Score: 0

    Sure, laziness is the problem. FFMPEG released in 2000. QuickTime released in 1991. How well does FFMPEG work on a 16 MHz 68030? Does it work with 8MB RAM?

  21. Re: Sigh by Anonymous Coward · · Score: 0

    Well nobody cares to optimize the codecs from back then that much and there might have been cases where accepting the crash risk may have been worth the speedup. Then again, if it was in the early '90s maybe it really wouldn't have been reasonable (not so sure though, a lot of those codecs back then could overrun and crash only in very specific cases which are not so costly to check for).
    You'll have to disable a lot of stuff in FFmpeg if you want to run it with 8MB of RAM because with loads of modern and table based codecs the binary is larger than that, but it should work. But yeah, trying to run it on a computer from 1991 would not end well I guess, also since the old codecs are not that optimized.

  22. Fine then, so what do you prefer? by Plumpaquatsch · · Score: 1

    Apparently you think the only two smart phones in existence are the iPhone and the Galaxy Note 7. Boy are you in for a surprise if you ever crawl out of your basement and actually visit a store that sells cell phones.

    To freeze or to still be vulnerable after more than a year?

    --
    Of course news about a fake are Fake News.