Apple Core Text Rendering Bug Crashes Apps in OS X and iOS

A bug inside Apple's Core Text rendering framework has been discovered (via Hacker News), a bug that can crash apps in OS X and iOS. The issue was reported to Apple and has reportedly been fixed in iOS 7 and Mavericks, but it currently affects both iOS 6 and OS X Mountain Lion.

Considering that the release of iOS 7 and Mavericks is still weeks away, this bug is a major concern. This is exacerbated in part because the exploit is incredibly easy to implement. Triggering it is as simple as your Mac or iOS device rendering (showing) a specific string unicode text characters.

OS X and iOS Core Text rendering bug could crash your apps big timeOS X and iOS Core Text rendering bug could crash your apps big time

To clarify, if you open a document, open a webpage, or even receive a text message with this string of text, the app will crash. This can be particularly problematic because apps in Mountain Lion and iOS 6 will reopen any documents or windows that were open before it quit or crashed.

In addition, any app that uses Apple's Core Text to render text can potentially be exploited. Worse, the exploit can be used on a website to cause Webkit based browsers like Safari and Chrome to crash leading to a sort of denial of service (DOS) attack when they attempt to re-open any pages or tabs you had open at the time of the crash.

It can also crash Messages in a very serious way. If a jackass friend or malicious enemy texted you the string, it will render Messages completely unusable and require a complete restore of your system. That's the biggest danger of this exploit since the browser-based exposure is relatively easy to avoid or fix.

Here's what the string looks like, as posted in a reddit thread on the topic (NOTE THAT THIS THREAD WILL CRASH SAFARI AS OF THIS WRITING). This is an image of the text, so it won't crash your browser—this bug is only triggered when rendering text strings, not graphics.

Malicious Arabic String

The Arabic text string that will crash Safari

By the way, Ars Technica noted that it also been nicknamed the Unicode of Death, an entertaining and accurate label.



Here's how it works:

  1. The triggering unicode string is placed on a page or in a document and rendered by the browser or app, causing the crash. This could be done in code by writing a script to render the string to the page. It could possibly be done by simply entering the unicode into a page via a web form. For example using a form that let's you post a comment to a web site.
  2. When the WebKit based browser or other app that uses Core Text Rendering displays the text the app crashes.
  3. The user tries to relaunch the browser. The browser attempts to re-open the last opened page (which still has the text in it) and the browser crashes again.
  4. You're now in an endless browser crashing loop. Your browser has effectively been DOS'd (denial of serviced, because we're making it a verb).

To protect yourself against this exploit:

  1. Don't open webpages or documents with the string.
  2. Since doing so isn't always an option, you can restart Safari without opening your previous windows by holding Shift-Option when opening the app.
  3. If you receive a text message with this string in Messages in iOS 6, you may need to do a full restore of your iOS device to regain use of the Messages app. If you can reopen Messages without the offending message showing, delete that message without opening it if possible. If it's not possible, Messages will simply crash on you.

This is a serious flaw and we hope that Apple fixes it sooner, rather than later.

[Some image elements courtesy Shutterstock]