Apple Core Text Rendering Bug Crashes Apps in OS X and iOS

| Analysis

A bug inside Apple's Core Text rendering framework has been discovered (via Hacker News), a bug that can crash apps in OS X and iOS. The issue was reported to Apple and has reportedly been fixed in iOS 7 and Mavericks, but it currently affects both iOS 6 and OS X Mountain Lion.

Considering that the release of iOS 7 and Mavericks is still weeks away, this bug is a major concern. This is exacerbated in part because the exploit is incredibly easy to implement. Triggering it is as simple as your Mac or iOS device rendering (showing) a specific string unicode text characters.

OS X and iOS Core Text rendering bug could crash your apps big timeOS X and iOS Core Text rendering bug could crash your apps big time

To clarify, if you open a document, open a webpage, or even receive a text message with this string of text, the app will crash. This can be particularly problematic because apps in Mountain Lion and iOS 6 will reopen any documents or windows that were open before it quit or crashed.

In addition, any app that uses Apple's Core Text to render text can potentially be exploited. Worse, the exploit can be used on a website to cause Webkit based browsers like Safari and Chrome to crash leading to a sort of denial of service (DOS) attack when they attempt to re-open any pages or tabs you had open at the time of the crash.

It can also crash Messages in a very serious way. If a jackass friend or malicious enemy texted you the string, it will render Messages completely unusable and require a complete restore of your system. That's the biggest danger of this exploit since the browser-based exposure is relatively easy to avoid or fix.

Here's what the string looks like, as posted in a reddit thread on the topic (NOTE THAT THIS THREAD WILL CRASH SAFARI AS OF THIS WRITING). This is an image of the text, so it won't crash your browser—this bug is only triggered when rendering text strings, not graphics.

Malicious Arabic String

The Arabic text string that will crash Safari

By the way, Ars Technica noted that it also been nicknamed the Unicode of Death, an entertaining and accurate label.

 

 

Here's how it works:

  1. The triggering unicode string is placed on a page or in a document and rendered by the browser or app, causing the crash. This could be done in code by writing a script to render the string to the page. It could possibly be done by simply entering the unicode into a page via a web form. For example using a form that let's you post a comment to a web site.
  2. When the WebKit based browser or other app that uses Core Text Rendering displays the text the app crashes.
  3. The user tries to relaunch the browser. The browser attempts to re-open the last opened page (which still has the text in it) and the browser crashes again.
  4. You're now in an endless browser crashing loop. Your browser has effectively been DOS'd (denial of serviced, because we're making it a verb).

To protect yourself against this exploit:

  1. Don't open webpages or documents with the string.
  2. Since doing so isn't always an option, you can restart Safari without opening your previous windows by holding Shift-Option when opening the app.
  3. If you receive a text message with this string in Messages in iOS 6, you may need to do a full restore of your iOS device to regain use of the Messages app. If you can reopen Messages without the offending message showing, delete that message without opening it if possible. If it's not possible, Messages will simply crash on you.

This is a serious flaw and we hope that Apple fixes it sooner, rather than later.

[Some image elements courtesy Shutterstock]

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Scott B in DC

You don’t have to do a full restore under iOS. Before restarting Safari go to Settings->Safari then toggle the switch next to Private Browsing. You will be asked if you want to close all tabs. If you press the “Close All” button it will close all tabs including the tab with the offending page.

Every time you toggle this switch, it will ask to close tabs. Aside from setting private browsing mode, it will allow you to close many tabs quickly without trying to tap the little “x” for the tab. This works on all iOS devices.

Adam Christianson

Scott, the full restore mentioned in the article was in case you received the string in an iMessage, not Safari. Although, even with Messages there may be a creative work around. We’re investigating into some theories.

Lee Dronick

So is that just a random string of text or is it a word?

Lee Dronick

In regards to iMessages. Don’t they go through Apple’s servers? If so could the string be filtered out on the server?

Bryan Chaffin

It could as long as they were iMessages, Lee, but then a bad couldn’t really send this string through iMessage because the sender’s copy would crash as soon as they entered it.

My understanding of non-iMessage SMS texts is that they are going through the legacy carrier services.

Lee Dronick

Yes, my bad for assuming. I pretty much only with my wife and we both use iPhones. I get an occasional one from AT&T and a few people so I am used to them being real iMessages.

Paul Goodwin

Not to change the subject, but here’s an interesting bug that will disable your iOS device. My 9 yr old granddaughter found this one, and I can’t figure out how to fix it for her. In Settings/Passcode Lock, she turned simple passcode OFF. When you do that, a text box appears for you to put your passcode in. That field allows you to paste from something you copied. She had made up a password of Emoji characters and pasted it into the field. IOS accepted it. But you don’t have access to Emoji characters when typing in password characters on your lock screen. Apple protected the user from using Emoji characters by disabling them on the keyboard that pops up when you enter your complex passcode. But since it allows a paste of any character, the Emoji characters were accepted. When she powered the iPod Touch down, the lock screen came up, with no way to enter the Emoji characters. Now the device is permanently locked. When she hooked it up to the computer with iTunes, iTunes couldn’t recognize it ...it said the device was locked. So she can’t even restore it to the factory settings. I told her to call Apple or take it to the local Apple store.

Lee Dronick

Wow Paul! That is quite a bug.

akcarver

Paul, I think I know how to fix your iPad. You’ll need to shut it down, and then while holding the home button, plug it into your computer with the USB cable. This should cause iTunes to detect an iPad in recovery mode and restore it to factory condition. It’s then very easy to restore to a previous backup.

Scott B in DC

Clearing out an iMessage: Send yourself an iMessage or have someone send it to you. Either from the popup (by tapping view message) or the lock screen (slide the iMessage icon), go to the new message. Rather than display the offending message, go to the Messages list (press the Message arrow on the iPhone or on the left side of the iPad).

On the messages list, either slide your finger across the offending message to bring up the delete button then press it or press the Edit button at the top, press the red dash, then press the delete button.

If there are multiple problems, go to Settings->Messages and turn off iMessage. Then back in iMessage, go to the Messages section, press the Edit button and just delete everything!

You still may want to send yourself a message from another iPhone/computer if you cannot open iMessage past the problem and use that message to open the app. I would also first shut it down completely (double tap the home button, press and hold the icon, then press the red “-” to end the program).

All it takes is a little imagination!! grin

Paul Goodwin

akcarver….thanks. Yeah. I posted on Apple’s Community Forum and someone posted a fix like you’re describing. Unfortunately, I don’t think she can restore her stuff because she never backed it up. LOL Never underestimate the mind of a 9 yr old. She wanted a cool password. It was so cold it froze the iPod Touch solid..haha. She’s going to cry her eyes out when she loses all her stuff. But sh’s learned a valuable lesson…well maybe.

Jacalyn Templeton

Arabic String Fix - Found a fix for this bug however it is reliant on knowing who sent you the message:

If you know who sent you the message:
1. Get the offending party to send you clean text message such as “test”. This will push the crappy Arabic string down one level. Don’t open the text.
2. Go to your contacts, choose a contact and select “Send Message”
3. Instead of sending an sms, select the “messages” arrow at the top of the screen
4. From your full “Messages” list, select “Edit” and delete that contact’s full message history
5. (Optional) Remove that person as your contact as you probably won’t want to talk to them again anyway!

If you don’t, you’re stuck until Apple get their act together.

akcarver

Paul, backups are automatic. If she’s got a Mac and an iOS device, then she should be ok. In any case, all her songs, podcasts, movies, apps, etc., should be in her iTunes library, and she can just choose what she wants to put back on the device.

ctopher

According to Google translate it does translate from Arabic or Persian to some text but the English aren’t words. I tried to copy and paste the text but TMO would not post the translation.

So I think the offending text is gibberish in any language.

Jb Poplawski

If you know who sent it to you. IE a buddy pulling a prank.  Send him a picture.  If you go thru contacts and attempt to send a text it will crash.  Open a random pic, send it and then go into iMessage and delete the message, but don’t open it.

Log-in to comment