By forcing them to render a specific string of Arabic text, it’s possible to crash Web browsers and other applications in iOS and OS X. Posters on a HackerNews thread discovered the bug, which appears to be an issue with Apple’s CoreText API, according to Ars Technica. The character string has been called the “unicode of death” by some Twitter users.
The original HackerNews thread suggested that the flaw was an issue specific to the WebKit browser engine, which is used by both Apple’s Safari and Google’s Chrome. However, the bug actually affects any application that uses CoreText, Ars Technica reported. The character string crashes Safari in both OS X 10.8.4 and iOS 6.1.3, and it brings down the page attempting to display it in Chrome. Firefox, which uses its own font rendering tool, is not affected. However, the string does work in many other applications on Mac and iOS devices.
Text messages displaying the characters in iMessage could trigger a crash loop, since the app attempts to display previous messages each time it is loaded, Ars Technica noted. Additionally, many email programs were vulnerable to the string, and devices could even be hit by the bug if the text was included in the name of a wireless network that appeared on the device’s list of available connections. Instances of the characters appearing in social media messages were also a threat, leading Facebook to roll out an update blocking the characters from being posted to user walls and timelines within hours of the bug becoming public.
Addressing the error
According to sources cited by Ars Technica, the issue has been known by some users since February, and a post on a Russian forum claimed that it has been fixed in both the upcoming OS X 10.9 and iOS 7. Users can also avoid it in their browser by switching to Firefox. In the meantime, researchers have been attempting to discover how specifically the bug works and whether it can be exploited to more malicious ends.
“It’s unclear whether or not this could be leveraged to accomplish more than crashing the target,” Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars. “This depends on the degree to which the invalid memory access can be controlled by the attacker input, and whether the access is a read violation (which might be leveraged to leak information about the target process for use in more complex attacks) or a write violation (which might be used to gain arbitrary code execution).”
At the moment, however, there is no reason to believe that the bug does anything more than crash applications, he said. Nonetheless, the existence of an underlying application flaw that can allow a specific string of unicode characters to prompt a crash is the type of frustrating feature developers should attempt to avoid. Catching errors that limit the functionality of applications is an essential part of the development process. Programmers can use tools such as static analysis software to locate potential issues and fix them prior to release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.