A bug in Apple's CoreText rendering engine in iOS 6 and OS X 10.8 causes any apps that try to render a string of Arabic characters to crash on sight. The string of characters which can trigger the bug — which was discovered yesterday and has spread around the hacking and coding community — has made its way to Twitter, where even looking at it in your timeline will crash the app.
In fact, because it's a CoreText bug, any apps that access this font framework to render text are affected. This means that any apps that use WebKit like Safari are also affected because WebKit uses CoreText.
This is a picture of the string of characters, not replicated here for obvious reasons:
If you'd care to experience the bug for yourself, feel free to seek out the tweet in the pic above, I'm not posting a link. For the record: Tweetbot appears to be immune to this, though it also uses the CoreText engine.
The characters were discovered and posted on a Russian site yesterday morning. The site claims that Apple has known about the problem for 'six months' and has not reacted. The posting includes a request to click the crash report button on any apps affected and report it to Apple.
The issue affects apps on iOS 6 and OS X 10.8 but does not work on OS X 10.9 Mavericks and iOS 7 beta releases. So whatever bug the characters are triggering, they've already been fixed in future releases of the engine. This doesn't help anyone still on iOS 6 of course.
The malicious possibilities are simple, if you send the characters in an SMS, it can initiate a revolving crash of Messages on both OS X and iOS. We confirmed this on both operating systems. You can also deliver the string of text via a web link.
Even worse, you can change the name of a wireless network to the characters and it will crash any device that scans that network to connect.
No comments:
Post a Comment