Forgot your password?
typodupeerror
Bug IOS OS X Security Apple

CoreText Font Rendering Bug Leads To iOS, OS X Exploit 178

Posted by timothy
from the click-carefully dept.
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."
This discussion has been archived. No new comments can be posted.

CoreText Font Rendering Bug Leads To iOS, OS X Exploit

Comments Filter:
  • by sootman (158191) on Thursday August 29, 2013 @12:26PM (#44707445) Homepage Journal

    I am totally safe.

  • by 0xdeadbeef (28836) on Thursday August 29, 2013 @12:32PM (#44707493) Homepage Journal

    It has jailbreaks, and that's a good thing.

    • I thought Apple added address space randomization back in Leopard? What happened?

      • by gnasher719 (869701) on Thursday August 29, 2013 @01:04PM (#44707825)

        I thought Apple added address space randomization back in Leopard? What happened?

        The problem that was reported leads to a crash. A crash is _safe_. An attacker can't gain any advantage by crashing your computer. They can merely annoy you.

        Address Space Randomization cannot prevent crashes. Its purpose is to prevent crashes being turned into exploits. An attacker does two things: Find a way to make your software fail, then find a way to turn that failure into an advantage for the attacker. The second part is where Address Space Randomization comes in. The next step is Sandboxing, where even if the attacker finds a way past ASR and takes over your code, your code would be in a sandbox and can't do any harm outside.

        • But the GP was referring to jailbreaks - I thought those were exploits "used for good"?

          • But the GP was referring to jailbreaks - I thought those were exploits "used for good"?

            If you have an exploit, you can use it for good or evil. On the other hand, if it is an exploit where the device owner has to do things actively (like downloading an app, connecting the device through USB cable, running the app, clicking five buttons on the device) then there is no danger except the possibility of trojans, so Apple doesn't need to fix it. If it is an exploit that could be used to attack unsuspecting users, then it _must_ be fixed.

            • Yes, but address space randomization was supposed to make those exploits (mostly buffer overflows) obsolete, regardless of their intent. Clearly that didn't work if there are still jailbreaks and/or other exploits.

  • by AmiMoJo (196126) * <mojo@worldCHEETAH3.net minus cat> on Thursday August 29, 2013 @12:42PM (#44707609) Homepage

    The Windows versions of iTunes and Safari include the MacOS font rendering code so that they look identical to the Mac versions. If the code is vulnerable it seems that those applications may also be vulnerable, although at least it's an app level problem and thus not as serious.

  • by Anonymous Coward on Thursday August 29, 2013 @12:44PM (#44707637)

    Here's a link to the crasher string in question:

    http://pastebin.com/kDhu72fh

    (warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)

    • by Cinder6 (894572) on Thursday August 29, 2013 @01:45PM (#44708317)

      Confirmed Safari crash on 10.8. However, on iOS 7, it does not crash. It looks like this will be patched on mobile within the next couple of weeks. I can't test iOS 6, so I'll take others' word for it.

      • by Smurf (7981)

        Yes, TFS fails to mention that both of TFA's specifically state that neither iOS 7 nor OS X 10.9 Mavericks are affected by the bug.

  • by Spy Handler (822350) on Thursday August 29, 2013 @12:45PM (#44707645) Homepage Journal

    if the attacker has physical access to your machine, you're already toast.

  • by Anonymous Coward on Thursday August 29, 2013 @12:55PM (#44707739)

    Otherwise someone would post it in the comments here and crash iPhone users' browser!

    • But Facebook and Twitter do...

      https://zhovner.com/tmp/killwebkit.html [zhovner.com]

      • Actually, facebook doesn't. I accidentally had downloaded the magic terrorist mantra using curl in a konsole, from which I copy-pasted it into Facebook. However, konsole must have stripped its magic vibes...

        After I retried it by visiting the URL with Firefox, and copying the contents from there to Facebook, I got "This message contains content that has been blocked by our security systems.

        If you think you're seeing this by mistake, please let us know."

        ... but Twitter still took it!

        • Actually, facebook takes it too, but it takes somewhat more smarts: just set up a web page, enter the magic terrorist thread as the <title, and post a link to the web page to Face book. As Facebook enters the title itself, it will not scan it for any "forbidden content", and presto!

          I still don't know what this Arabic sentence means, but I tested it with Safari on a Mac, and indeed, it goes kaboom as soon as I visit my Facebook page!

  • That this can be used to get an ATV 3 cracked

  • It's written in C and it's a buffer overflow exploit, right?

    We warned you. You didn't listen. Now suffer. [animats.com]

    • It's written in C and it's a buffer overflow exploit, right?

      It's a crash. It's not an exploit. Therefore you are wrong, it is not a buffer overflow exploit.

  • Great. So when is the next jailbreak for 6.1.4 coming out?

  • The best part: Just name your Wifi network the exploit string:

    Safari is also impacting by the bug, and naming a Wi-Fi network with one of the strings of text can cause an error while an Apple device is scanning for networks.

    So, just buy a couple of inexpensive Wifi mini routers [alibaba.com], hook them up a battery pack, and place them near apple user watering holes, sit back and watch the fun...

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre

Working...