facebook rss twitter

Simple Arabic text string instantly crashes OS X 10.8 and iOS 6 apps

by Mark Tyson on 30 August 2013, 11:54

Tags: iPad, iPhone, PC

Quick Link: HEXUS.net/qab2dj

Add to My Vault: x

A short string of Arabic text will crash any app on OS X 10.8 and iOS 6 that uses the Apple CoreText rendering engine. The text string was revealed earlier this week on a Russian website, the author of which claims Apple has known about the problem for six months and not reacted. Many applications on Mac OS X and iOS use the CoreText rendering engine including iOS SMS messaging, iMessage, Safari and Chrome. It was also revealed that scanning for Wi-Fi networks and finding one named with this text string, dubbed 'the Unicode of death', can cause this crash to occur.

Ars Technica reports that the string of Arabic text is 'nonsensical' so it wouldn't normally appear anywhere day to day but since this news broke the text string has appeared on many web sites, in Tweets and so on. The Facebook team has already implemented a block on this particular string of text and pops up a 'message failed' warning should you try and insert this text in your newsfeed. Since iMessage, for example, loads a history of messages it's particularly annoying to try and get it started again after a crash caused by this text string, in that case a system restore may even be necessary to start afresh.

To avoid the exploit The Mac Observer recommends Mac and iDevice users to; not open web pages and documents containing the string, re-start Safari while holding Shift-Option, to start with a clear single browser tab, delete threaded not-showing messages in the iOS Messages app which contain this string, if possible. It is also noted that Firefox uses its own web text rendering engine so can display the 'unicode of death' without any problem. Here's a link to a page containing the text for users to test.

The Russian website which brought this problem to light says that the bug can cause users annoyance but it "does not allow anyone else to access your computer remotely". A security researcher from Azimuth Security talking to Ars confirmed that "...there is no evidence at this time that this can be leveraged for anything more than an application crash".



HEXUS Forums :: 8 Comments

Login with Forum Account

Don't have an account? Register today!
Unicode is… a bit fiddly. So I guess it's no surprise that over the years I've seen loads of bits of software get patched to deal with Unicode issues (PHP, I'm looking at you particularly sternly).
Am I having some deja vu here, or is this an old bug?
The Mac Observer recommends Mac and iDevice users to; not open web pages and documents containing the string
Not trying to poke fun or anything, but how are you supposed to know if a web page or document contains the “string of iDeath” until you actually open it?

I wouldn't think that this'll remain unpatched long.
Yeah, that advice make me chuckle.
crossy
The Mac Observer recommends Mac and iDevice users to; not open web pages and documents containing the string
Not trying to poke fun or anything, but how are you supposed to know if a web page or document contains the “string of iDeath” until you actually open it?

I wouldn't think that this'll remain unpatched long.

lets hope it is patched faster than flashback…