August 30, 2013
Apple Operating Systems Brought Down By ‘Unicode Of Death’
Michael Harper for redOrbit.com - Your Universe Online
A string of Arabic letters can wreak havoc on devices running Mac OS X Mountain Lion and iOS 6. The CoreText bug can crash any of these devices that attempt to display this specific and nonsensical string of Arabic letters, according to posters at Hacker News.
The bug is more than just an annoying prank to be played on those owning glowing fruit products. Typing this sequence of letters into a website will crash Safari running on either desktop or iOS devices. If Safari keeps trying to open the page after each crash, the one tiny string of text could keep a user’s browser down until they restore or reset the system.
Similarly, if this string of Arabic is sent in an SMS, the Messages app crashes and is completely unusable without a complete restore of the device. As often happens when vulnerabilities like this pop up in iOS, jailbreakers are hurrying to understand why one small line of text can crash a device and build out a patch for it. Apple has reportedly been aware of this flaw for six months now and has already patched it in beta versions of 10.9 and iOS 7.
Hacker News claims the flaw lives in WebKit, the engine used by Apple to power their browsers.
Ars Technica, however, says the flaw lives in Apple’s CoreText APIs used to render text. In other words, this bug lives deeply in the system and shows up anytime text needs to be displayed on the screen.
The flaw has been affectionately referred to as the “Unicode of Death,” as any application which uses CoreText APIs can be brought down when it tries to render the text. It’s even been shown to bring down a system if the specific string of Arabic letters shows up in the list of available Wi-Fi networks.
As this bug only affects Apple devices, those using Android handsets and Windows PCs can put this text on social networks, send it in email or in text messages and bring down any unsuspecting OS X or iOS device. Following a spike in crashed browsers as a result of pranksters taking advantage of this flaw, Facebook has already begun blocking the Unicode from being posted on walls and timelines.
"It's unclear whether or not this could be leveraged to accomplish more than crashing the target," said Don Rosenberg, a senior security researcher at Azimuth Security in an interview with Ars Technica. “…there is no evidence at this time that this can be leveraged for anything more than an application crash."
Indeed, hackers and pranksters will have to learn the precise string of Arabic to bring down applications and devices. The chances of finding this nonsensical string of text in the wild are extremely low.
According to 9to5Mac, jailbreaker Filippo Bigarella has developed a patch for the bug, but it only works in mobile Safari. According to Bigarella, the fix is “general” and not a “clean solution” at all.
Until then, there are only a few ways to restore functionality to a device which has been hit by this attack. Relaunching Safari after it’s been hit on 10.8 will bring up the same site with the code, so users will have to reset the browser without opening previous tabs by holding Shift-Option when opening the application.
Those who receive the string in Messages in iOS 6 can either send themselves several messages to bump the problem text higher and therefore un-rendered. If this doesn’t work, it may be necessary to do a complete restore to remove the text from message history.